diff --git a/patches.suse/x86-Don-t-let-pgprot_modify-change-the-page-encrypti.patch b/patches.suse/x86-Don-t-let-pgprot_modify-change-the-page-encrypti.patch
new file mode 100644
index 0000000..ea7cd6c
--- /dev/null
+++ b/patches.suse/x86-Don-t-let-pgprot_modify-change-the-page-encrypti.patch
@@ -0,0 +1,60 @@
+From: Thomas Hellstrom <thellstrom@vmware.com>
+Date: Wed, 4 Mar 2020 12:45:26 +0100
+Subject: x86: Don't let pgprot_modify() change the page encryption bit
+Git-commit: 6db73f17c5f155dbcfd5e48e621c706270b84df0
+Patch-mainline: 5.7-rc1
+References: git-fixes
+
+When SEV or SME is enabled and active, vm_get_page_prot() typically
+returns with the encryption bit set. This means that users of
+pgprot_modify(, vm_get_page_prot()) (mprotect_fixup(), do_mmap()) end up
+with a value of vma->vm_pg_prot that is not consistent with the intended
+protection of the PTEs.
+
+This is also important for fault handlers that rely on the VMA
+vm_page_prot to set the page protection. Fix this by not allowing
+pgprot_modify() to change the encryption bit, similar to how it's done
+for PAT bits.
+
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Link: https://lkml.kernel.org/r/20200304114527.3636-2-thomas_os@shipmail.org
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ arch/x86/include/asm/pgtable.h       |    7 +++++--
+ arch/x86/include/asm/pgtable_types.h |    2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/include/asm/pgtable.h
++++ b/arch/x86/include/asm/pgtable.h
+@@ -586,12 +586,15 @@ static inline pmd_t pmd_modify(pmd_t pmd
+ 	return __pmd(val);
+ }
+ 
+-/* mprotect needs to preserve PAT bits when updating vm_page_prot */
++/*
++ * mprotect needs to preserve PAT and encryption bits when updating
++ * vm_page_prot
++ */
+ #define pgprot_modify pgprot_modify
+ static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
+ {
+ 	pgprotval_t preservebits = pgprot_val(oldprot) & _PAGE_CHG_MASK;
+-	pgprotval_t addbits = pgprot_val(newprot);
++	pgprotval_t addbits = pgprot_val(newprot) & ~_PAGE_CHG_MASK;
+ 	return __pgprot(preservebits | addbits);
+ }
+ 
+--- a/arch/x86/include/asm/pgtable_types.h
++++ b/arch/x86/include/asm/pgtable_types.h
+@@ -136,7 +136,7 @@
+  */
+ #define _PAGE_CHG_MASK	(PTE_PFN_MASK | _PAGE_PCD | _PAGE_PWT |		\
+ 			 _PAGE_SPECIAL | _PAGE_ACCESSED | _PAGE_DIRTY |	\
+-			 _PAGE_SOFT_DIRTY | _PAGE_DEVMAP)
++			 _PAGE_SOFT_DIRTY | _PAGE_DEVMAP | _PAGE_ENC)
+ #define _HPAGE_CHG_MASK (_PAGE_CHG_MASK | _PAGE_PSE)
+ 
+ /*
diff --git a/series.conf b/series.conf
index 13e18e6..c27fccc 100644
--- a/series.conf
+++ b/series.conf
@@ -55742,6 +55742,7 @@
 	patches.suse/firmware-arm_sdei-fix-double-lock-on-hibernate-with-.patch
 	patches.suse/firmware-arm_sdei-fix-possible-double-lock-on-hibern.patch
 	patches.suse/x86-pkeys-Add-check-for-pkey-overflow.patch
+	patches.suse/x86-Don-t-let-pgprot_modify-change-the-page-encrypti.patch
 	patches.suse/btrfs-use-btrfs_ordered_update_i_size-in-clone_finish_inode_update.patch
 	patches.suse/btrfs-introduce-per-inode-file-extent-tree.patch
 	patches.suse/btrfs-use-the-file-extent-tree-infrastructure.patch