diff --git a/lfs/linux b/lfs/linux
index 5c37a4b59..e365be6af 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -132,6 +132,7 @@ ifneq "$(KCFG)" "-headers"
 	cd $(DIR_APP) && xz -c -d $(DIR_DL)/$(GRS_PATCHES) | patch -Np1
 	cd $(DIR_APP) && rm localversion-grsec
 	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.7-disable-compat_vdso.patch
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.77-gsrec_tcp_input_access_once_rw.patch
 endif
 
 	# DVB Patches
diff --git a/src/patches/linux-3.14.77-gsrec_tcp_input_access_once_rw.patch b/src/patches/linux-3.14.77-gsrec_tcp_input_access_once_rw.patch
new file mode 100644
index 000000000..19d044892
--- /dev/null
+++ b/src/patches/linux-3.14.77-gsrec_tcp_input_access_once_rw.patch
@@ -0,0 +1,18 @@
+diff -Naur linux-3.14.77.org/net/ipv4/tcp_input.c linux-3.14.77/net/ipv4/tcp_input.c
+--- linux-3.14.77.org/net/ipv4/tcp_input.c	2016-08-21 19:58:45.000000000 +0200
++++ linux-3.14.77/net/ipv4/tcp_input.c	2016-08-21 21:11:24.336757369 +0200
+@@ -3299,12 +3299,12 @@
+ 		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
+ 
+ 		challenge_timestamp = now;
+-		ACCESS_ONCE(challenge_count) = half +
++		ACCESS_ONCE_RW(challenge_count) = half +
+ 				  prandom_u32_max(sysctl_tcp_challenge_ack_limit);
+ 	}
+ 	count = ACCESS_ONCE(challenge_count);
+ 	if (count > 0) {
+-		ACCESS_ONCE(challenge_count) = count - 1;
++		ACCESS_ONCE_RW(challenge_count) = count - 1;
+ 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+ 		tcp_send_ack(sk);
+ 	}