diff -NurpP --minimal linux-2.6.17.7-vs2.1.1-rc27.2/include/linux/vserver/network.h linux-2.6.17.7-vs2.1.1-rc27.3/include/linux/vserver/network.h
--- linux-2.6.17.7-vs2.1.1-rc27.2/include/linux/vserver/network.h	2006-07-09 17:07:13 +0200
+++ linux-2.6.17.7-vs2.1.1-rc27.3/include/linux/vserver/network.h	2006-07-30 03:14:46 +0200
@@ -13,6 +13,8 @@
 
 /* network flags */
 
+#define NXF_INFO_LOCK		0x00000001
+
 #define NXF_STATE_SETUP		(1ULL<<32)
 
 #define NXF_SC_HELPER		(1ULL<<36)
diff -NurpP --minimal linux-2.6.17.7-vs2.1.1-rc27.2/kernel/vserver/context.c linux-2.6.17.7-vs2.1.1-rc27.3/kernel/vserver/context.c
--- linux-2.6.17.7-vs2.1.1-rc27.2/kernel/vserver/context.c	2006-07-30 02:54:33 +0200
+++ linux-2.6.17.7-vs2.1.1-rc27.3/kernel/vserver/context.c	2006-07-30 03:14:46 +0200
@@ -578,6 +578,10 @@ int vx_migrate_user(struct task_struct *
 
 	if (!p || !vxi)
 		BUG();
+
+	if (vx_info_flags(vxi, VXF_INFO_LOCK, 0))
+		return -EACCES;
+
 	new_user = alloc_uid(vxi->vx_id, p->uid);
 	if (!new_user)
 		return -ENOMEM;
@@ -636,14 +640,17 @@ int vx_migrate_task(struct task_struct *
 	if (!p || !vxi)
 		BUG();
 
-	old_vxi = task_get_vx_info(p);
-	if (old_vxi == vxi)
-		goto out;
-
 	vxdprintk(VXD_CBIT(xid, 5),
 		"vx_migrate_task(%p,%p[#%d.%d])", p, vxi,
 		vxi->vx_id, atomic_read(&vxi->vx_usecnt));
 
+	if (vx_info_flags(vxi, VXF_INFO_LOCK, 0))
+		return -EACCES;
+
+	old_vxi = task_get_vx_info(p);
+	if (old_vxi == vxi)
+		goto out;
+
 	if (!(ret = vx_migrate_user(p, vxi))) {
 		int openfd;
 
@@ -836,9 +843,10 @@ int vc_ctx_create(uint32_t xid, void __u
 		vx_set_persistent(new_vxi);
 
 	vs_state_change(new_vxi, VSC_STARTUP);
-	ret = new_vxi->vx_id;
-	vx_migrate_task(current, new_vxi);
+	ret = vx_migrate_task(current, new_vxi);
 	/* if this fails, we might end up with a hashed vx_info */
+	if (ret == 0)
+		ret = new_vxi->vx_id;
 	put_vx_info(new_vxi);
 	return ret;
 }
diff -NurpP --minimal linux-2.6.17.7-vs2.1.1-rc27.2/kernel/vserver/network.c linux-2.6.17.7-vs2.1.1-rc27.3/kernel/vserver/network.c
--- linux-2.6.17.7-vs2.1.1-rc27.2/kernel/vserver/network.c	2006-07-10 01:52:23 +0200
+++ linux-2.6.17.7-vs2.1.1-rc27.3/kernel/vserver/network.c	2006-07-30 03:14:46 +0200
@@ -387,6 +387,9 @@ int nx_migrate_task(struct task_struct *
 		atomic_read(&nxi->nx_usecnt),
 		atomic_read(&nxi->nx_tasks));
 
+	if (nx_info_flags(nxi, NXF_INFO_LOCK, 0))
+		return -EACCES;
+
 	/* maybe disallow this completely? */
 	old_nxi = task_get_nx_info(p);
 	if (old_nxi == nxi)
@@ -595,8 +598,7 @@ int vc_net_create(uint32_t nid, void __u
 
 int vc_net_migrate(struct nx_info *nxi, void __user *data)
 {
-	nx_migrate_task(current, nxi);
-	return 0;
+	return nx_migrate_task(current, nxi);
 }
 
 int vc_net_add(struct nx_info *nxi, void __user *data)
diff -u linux-2.6.17.7-vs2.1.1-rc27.6/kernel/vserver/namespace.c linux-2.6.17.7-vs2.1.1-rc27.6/kernel/vserver/namespace.c
--- linux-2.6.17.7-vs2.1.1-rc27.6/kernel/vserver/namespace.c	2006-07-30 03:46:39 +0200
+++ linux-2.6.17.7-vs2.1.1-rc27.6/kernel/vserver/namespace.c	2006-07-30 03:46:39 +0200
@@ -33,6 +33,8 @@
 	struct fs_struct *old_fs, *fs;
 	struct namespace *old_ns;
 
+	if (vx_info_flags(vxi, VXF_INFO_LOCK, 0))
+		return -EACCES;
 	if (!vxi->vx_namespace)
 		return -EINVAL;