diff --git a/debian/changelog b/debian/changelog
index 6ae8bfd3b..644cce933 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ linux (4.19.67-3) UNRELEASED; urgency=medium
   [ Romain Perier ]
   * [armel/rpi] Enable CONFIG_BRCMFMAC_SDIO (Closes: #940530)
 
+  [ Salvatore Bonaccorso ]
+  * ixgbe: Fix secpath usage for IPsec TX offload (Closes: #930443)
+
  -- Romain Perier <romain.perier@gmail.com>  Wed, 28 Aug 2019 13:28:09 +0200
 
 linux (4.19.67-2+deb10u1) buster-security; urgency=high
diff --git a/debian/patches/bugfix/all/ixgbe-Fix-secpath-usage-for-IPsec-TX-offload.patch b/debian/patches/bugfix/all/ixgbe-Fix-secpath-usage-for-IPsec-TX-offload.patch
new file mode 100644
index 000000000..e249f4200
--- /dev/null
+++ b/debian/patches/bugfix/all/ixgbe-Fix-secpath-usage-for-IPsec-TX-offload.patch
@@ -0,0 +1,49 @@
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Thu, 12 Sep 2019 13:01:44 +0200
+Subject: ixgbe: Fix secpath usage for IPsec TX offload.
+Origin: https://git.kernel.org/linus/f39b683d35dfa93a58f1b400a8ec0ff81296b37c
+Bug-Debian: https://bugs.debian.org/930443
+Bug: https://bugzilla.kernel.org/show_bug.cgi?id=204551
+
+The ixgbe driver currently does IPsec TX offloading
+based on an existing secpath. However, the secpath
+can also come from the RX side, in this case it is
+misinterpreted for TX offload and the packets are
+dropped with a "bad sa_idx" error. Fix this by using
+the xfrm_offload() function to test for TX offload.
+
+Fixes: 592594704761 ("ixgbe: process the Tx ipsec offload")
+Reported-by: Michael Marley <michael@michaelmarley.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[Salvatore Bonaccorso: Backport to 4.19.67: cherry-pick patch from 4.19.74
+release with adjusted context]
+---
+ drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+index 410d5d3aa393..2c3da1516036 100644
+--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+@@ -34,6 +34,7 @@
+ #include <net/tc_act/tc_mirred.h>
+ #include <net/vxlan.h>
+ #include <net/mpls.h>
++#include <net/xfrm.h>
+ 
+ #include "ixgbe.h"
+ #include "ixgbe_common.h"
+@@ -8599,7 +8600,8 @@ netdev_tx_t ixgbe_xmit_frame_ring(struct sk_buff *skb,
+ #endif /* IXGBE_FCOE */
+ 
+ #ifdef CONFIG_XFRM_OFFLOAD
+-	if (skb->sp && !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
++	if (xfrm_offload(skb) &&
++	    !ixgbe_ipsec_tx(tx_ring, first, &ipsec_tx))
+ 		goto out_drop;
+ #endif
+ 	tso = ixgbe_tso(tx_ring, first, &hdr_len, &ipsec_tx);
+-- 
+2.23.0
+
diff --git a/debian/patches/series b/debian/patches/series
index b0b9b263d..d133145dd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -105,6 +105,7 @@ bugfix/all/mt76-use-the-correct-hweight8-function.patch
 bugfix/all/rtc-s35390a-set-uie_unsupported.patch
 bugfix/all/dm-disable-discard-if-the-underlying-storage-no-longer-supports-it.patch
 bugfix/all/xfs-fix-missing-ILOCK-unlock-when-xfs_setattr_nonsiz.patch
+bugfix/all/ixgbe-Fix-secpath-usage-for-IPsec-TX-offload.patch
 
 # Miscellaneous features