diff --git a/debian/changelog b/debian/changelog
index d2b247d0a..3607abbe2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+linux (4.19.118-2) UNRELEASED; urgency=medium
+
+  * Merge changes from 4.19.67-2+deb10u2 to include all security fixes from
+    DSA 4667-1.
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 28 Apr 2020 23:05:34 +0200
+
 linux (4.19.118-1) buster; urgency=medium
 
   * New upstream stable update:
@@ -1842,6 +1849,20 @@ linux (4.19.118-1) buster; urgency=medium
 
  -- Ben Hutchings <benh@debian.org>  Sun, 26 Apr 2020 14:04:11 +0100
 
+linux (4.19.98-1+deb10u1) buster-security; urgency=high
+
+  * [x86] KVM: nVMX: Don't emulate instructions in guest mode (CVE-2020-2732)
+  * do_last(): fetch directory ->i_mode and ->i_uid before it's too late
+    (CVE-2020-8428)
+  * vfs: fix do_last() regression
+  * vhost: Check docket sk_family instead of call getname (CVE-2020-10942)
+  * mm: mempolicy: require at least one nodeid for MPOL_PREFERRED
+    (CVE-2020-11565)
+  * [s390x] mm: fix page table upgrade vs 2ndary address mode accesses
+    (CVE-2020-11884)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Mon, 27 Apr 2020 07:05:39 +0200
+
 linux (4.19.98-1) buster; urgency=medium
 
   * New upstream stable update:
diff --git a/debian/patches/bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch b/debian/patches/bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
new file mode 100644
index 000000000..6bc9862ae
--- /dev/null
+++ b/debian/patches/bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
@@ -0,0 +1,132 @@
+From 54324ebc2ae2c404f1fe97050af832f0a031287e Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Wed, 15 Apr 2020 15:21:01 +0200
+Subject: [PATCH] s390/mm: fix page table upgrade vs 2ndary address mode
+ accesses
+
+A page table upgrade in a kernel section that uses secondary address
+mode will mess up the kernel instructions as follows:
+
+Consider the following scenario: two threads are sharing memory.
+On CPU1 thread 1 does e.g. strnlen_user().  That gets to
+        old_fs = enable_sacf_uaccess();
+        len = strnlen_user_srst(src, size);
+and
+                "   la    %2,0(%1)\n"
+                "   la    %3,0(%0,%1)\n"
+                "   slgr  %0,%0\n"
+                "   sacf  256\n"
+                "0: srst  %3,%2\n"
+in strnlen_user_srst().  At that point we are in secondary space mode,
+control register 1 points to kernel page table and instruction fetching
+happens via c1, rather than usual c13.  Interrupts are not disabled, for
+obvious reasons.
+
+On CPU2 thread 2 does MAP_FIXED mmap(), forcing the upgrade of page table
+from 3-level to e.g. 4-level one.  We'd allocated new top-level table,
+set it up and now we hit this:
+                notify = 1;
+                spin_unlock_bh(&mm->page_table_lock);
+        }
+        if (notify)
+                on_each_cpu(__crst_table_upgrade, mm, 0);
+OK, we need to actually change over to use of new page table and we
+need that to happen in all threads that are currently running.  Which
+happens to include the thread 1.  IPI is delivered and we have
+static void __crst_table_upgrade(void *arg)
+{
+        struct mm_struct *mm = arg;
+
+        if (current->active_mm == mm)
+                set_user_asce(mm);
+        __tlb_flush_local();
+}
+run on CPU1.  That does
+static inline void set_user_asce(struct mm_struct *mm)
+{
+        S390_lowcore.user_asce = mm->context.asce;
+OK, user page table address updated...
+        __ctl_load(S390_lowcore.user_asce, 1, 1);
+... and control register 1 set to it.
+        clear_cpu_flag(CIF_ASCE_PRIMARY);
+}
+
+IPI is run in home space mode, so it's fine - insns are fetched
+using c13, which always points to kernel page table.  But as soon
+as we return from the interrupt, previous PSW is restored, putting
+CPU1 back into secondary space mode, at which point we no longer
+get the kernel instructions from the kernel mapping.
+
+The fix is to only fixup the control registers that are currently in use
+for user processes during the page table update.  We must also disable
+interrupts in enable_sacf_uaccess to synchronize the cr and
+thread.mm_segment updates against the on_each-cpu.
+
+Fixes: 0aaba41b58bc ("s390: remove all code using the access register mode")
+Cc: stable@vger.kernel.org # 4.15+
+Reported-by: Al Viro <viro@zeniv.linux.org.uk>
+Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
+References: CVE-2020-11884
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+---
+ arch/s390/lib/uaccess.c |  4 ++++
+ arch/s390/mm/pgalloc.c  | 16 ++++++++++++++--
+ 2 files changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/lib/uaccess.c b/arch/s390/lib/uaccess.c
+index c4f8039a35e8..0267405ab7c6 100644
+--- a/arch/s390/lib/uaccess.c
++++ b/arch/s390/lib/uaccess.c
+@@ -64,10 +64,13 @@ mm_segment_t enable_sacf_uaccess(void)
+ {
+ 	mm_segment_t old_fs;
+ 	unsigned long asce, cr;
++	unsigned long flags;
+ 
+ 	old_fs = current->thread.mm_segment;
+ 	if (old_fs & 1)
+ 		return old_fs;
++	/* protect against a concurrent page table upgrade */
++	local_irq_save(flags);
+ 	current->thread.mm_segment |= 1;
+ 	asce = S390_lowcore.kernel_asce;
+ 	if (likely(old_fs == USER_DS)) {
+@@ -83,6 +86,7 @@ mm_segment_t enable_sacf_uaccess(void)
+ 		__ctl_load(asce, 7, 7);
+ 		set_cpu_flag(CIF_ASCE_SECONDARY);
+ 	}
++	local_irq_restore(flags);
+ 	return old_fs;
+ }
+ EXPORT_SYMBOL(enable_sacf_uaccess);
+diff --git a/arch/s390/mm/pgalloc.c b/arch/s390/mm/pgalloc.c
+index 498c98a312f4..fff169d64711 100644
+--- a/arch/s390/mm/pgalloc.c
++++ b/arch/s390/mm/pgalloc.c
+@@ -70,8 +70,20 @@ static void __crst_table_upgrade(void *arg)
+ {
+ 	struct mm_struct *mm = arg;
+ 
+-	if (current->active_mm == mm)
+-		set_user_asce(mm);
++	/* we must change all active ASCEs to avoid the creation of new TLBs */
++	if (current->active_mm == mm) {
++		S390_lowcore.user_asce = mm->context.asce;
++		if (current->thread.mm_segment == USER_DS) {
++			__ctl_load(S390_lowcore.user_asce, 1, 1);
++			/* Mark user-ASCE present in CR1 */
++			clear_cpu_flag(CIF_ASCE_PRIMARY);
++		}
++		if (current->thread.mm_segment == USER_DS_SACF) {
++			__ctl_load(S390_lowcore.user_asce, 7, 7);
++			/* enable_sacf_uaccess does all or nothing */
++			WARN_ON(!test_cpu_flag(CIF_ASCE_SECONDARY));
++		}
++	}
+ 	__tlb_flush_local();
+ }
+ 
+-- 
+2.25.2
+
+
diff --git a/debian/patches/series b/debian/patches/series
index fa45b7320..c4eedde94 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -299,5 +299,6 @@ bugfix/all/net-ipv6-add-net-argument-to-ip6_dst_lookup_flow.patch
 bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch
 bugfix/all/blktrace-protect-q-blk_trace-with-rcu.patch
 bugfix/all/blktrace-fix-dereference-after-null-check.patch
+bugfix/s390x/s390-mm-fix-page-table-upgrade-vs-2ndary-address-mod.patch
 
 # ABI maintenance