diff --git a/debian/changelog b/debian/changelog
index 4a709e85d..429c53e53 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -26,7 +26,7 @@ linux-2.6 (2.6.32-11) UNRELEASED; urgency=low
   [ maximilian attems]
   * [alpha, hppa] Disable oprofile as tracing code is unsupported here.
     (closes: #574368)
-  * Update openvz patch to 796e80e5b2ed. (closes: #574598, #575189)
+  * Update openvz patch to 14a9729fab67. (closes: #574598, #575189)
   * [x86]: Disable FB_INTEL. (closes: #447575, #503766, #574401)
   * ssb: do not read SPROM if it does not exist.
   * ssb: Avoid null pointer dereference by aboves.
diff --git a/debian/patches/features/all/openvz/openvz.patch b/debian/patches/features/all/openvz/openvz.patch
index 210bd5c9c..e1d764101 100644
--- a/debian/patches/features/all/openvz/openvz.patch
+++ b/debian/patches/features/all/openvz/openvz.patch
@@ -1,3 +1,51 @@
+commit 14a9729fab679c9c9f15e2ff44070806247b62c5
+Author: Pavel Emelyanov <xemul@openvz.org>
+Date:   Fri Apr 2 23:00:10 2010 +0400
+
+    inotify: Return lost mntputs for inotify mnts
+    
+    Otherwise we leak the mountpoint and sometimes much more.
+    
+    Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+
+commit 0b1c1e340b9008360e0a0d4083702ec8546ec1bd
+Author: Pavel Emelyanov <xemul@openvz.org>
+Date:   Fri Apr 2 22:59:12 2010 +0400
+
+    cpt: Fix 32bit version of cpt kernel thread creation
+    
+    http://bugzilla.openvz.org/show_bug.cgi?id=1482
+    
+    Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+
+commit 760a36fb468201cb4964c7a542172bda941fe755
+Author: Pavel Emelyanov <xemul@openvz.org>
+Date:   Fri Apr 2 16:21:41 2010 +0400
+
+    devcg: Check for device permissions for DEV_ALL rules
+    
+    Thanks to cd500819 commit :\
+    
+    http://bugzilla.openvz.org/show_bug.cgi?id=1478
+    
+    Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+
+commit e6ad27ee6e87614512d44074d841df822453dda7
+Author: Cyrill Gorcunov <gorcunov@openvz.org>
+Date:   Thu Mar 25 19:47:32 2010 +0300
+
+    iptables: Restore NAT functionality for node
+    
+    During migration to new iptables management code
+    VE0 lost NAT table access. Restore it. Moreover
+    VE0 gets highest priviledge -- ie all iptables
+    functionality is not filtering.
+    
+    http://bugzilla.openvz.org/show_bug.cgi?id=1473
+    
+    Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
+    Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
+
 commit 796e80e5b2edff524f40a608be511143b4c8c828
 Author: Pavel Emelyanov <xemul@openvz.org>
 Date:   Fri Mar 19 11:17:45 2010 +0300
@@ -11512,7 +11560,7 @@ index f234f3a..21faa74 100644
  
  extern void inotify_ignored_and_remove_idr(struct fsnotify_mark_entry *entry,
 diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c
-index 1afb0a1..cc59c5c 100644
+index 1afb0a1..9b31a34 100644
 --- a/fs/notify/inotify/inotify_fsnotify.c
 +++ b/fs/notify/inotify/inotify_fsnotify.c
 @@ -28,6 +28,8 @@
@@ -11532,7 +11580,7 @@ index 1afb0a1..cc59c5c 100644
  }
  
  void inotify_free_event_priv(struct fsnotify_event_private_data *fsn_event_priv)
-@@ -159,10 +162,24 @@ void inotify_free_event_priv(struct fsnotify_event_private_data *fsn_event_priv)
+@@ -159,10 +162,25 @@ void inotify_free_event_priv(struct fsnotify_event_private_data *fsn_event_priv)
  	kmem_cache_free(event_priv_cachep, event_priv);
  }
  
@@ -11545,6 +11593,7 @@ index 1afb0a1..cc59c5c 100644
 +		dput(e->path.dentry);
 +		e->path.dentry = NULL;
 +		mnt_unpin(e->path.mnt);
++		mntput(e->path.mnt);
 +		e->path.dentry = NULL;
 +	}
 +}
@@ -11558,7 +11607,7 @@ index 1afb0a1..cc59c5c 100644
 +	.detach_mnt = inotify_detach_mnt,
  };
 diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c
-index ca44337..7dd3eb4 100644
+index ca44337..745983d 100644
 --- a/fs/notify/inotify/inotify_user.c
 +++ b/fs/notify/inotify/inotify_user.c
 @@ -40,6 +40,7 @@
@@ -11586,19 +11635,20 @@ index ca44337..7dd3eb4 100644
  
  
  /*
-@@ -461,6 +463,11 @@ static void inotify_free_mark(struct fsnotify_mark_entry *entry)
+@@ -461,6 +463,12 @@ static void inotify_free_mark(struct fsnotify_mark_entry *entry)
  {
  	struct inotify_inode_mark_entry *ientry = (struct inotify_inode_mark_entry *)entry;
  
 +	if (ientry->path.dentry) {
 +		dput(ientry->path.dentry);
 +		mnt_unpin(ientry->path.mnt);
++		mntput(ientry->path.mnt);
 +	}
 +
  	kmem_cache_free(inotify_inode_mark_cachep, ientry);
  }
  
-@@ -527,16 +534,13 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
+@@ -527,16 +535,13 @@ static int inotify_update_existing_watch(struct fsnotify_group *group,
  	return ret;
  }
  
@@ -11618,7 +11668,7 @@ index ca44337..7dd3eb4 100644
  	if (unlikely(!mask))
  		return -EINVAL;
  
-@@ -547,6 +551,8 @@ static int inotify_new_watch(struct fsnotify_group *group,
+@@ -547,6 +552,8 @@ static int inotify_new_watch(struct fsnotify_group *group,
  	fsnotify_init_mark(&tmp_ientry->fsn_entry, inotify_free_mark);
  	tmp_ientry->fsn_entry.mask = mask;
  	tmp_ientry->wd = -1;
@@ -11627,7 +11677,7 @@ index ca44337..7dd3eb4 100644
  
  	ret = -ENOSPC;
  	if (atomic_read(&group->inotify_data.user->inotify_watches) >= inotify_max_user_watches)
-@@ -556,10 +562,14 @@ retry:
+@@ -556,10 +563,14 @@ retry:
  	if (unlikely(!idr_pre_get(&group->inotify_data.idr, GFP_KERNEL)))
  		goto out_err;
  
@@ -11644,7 +11694,7 @@ index ca44337..7dd3eb4 100644
  	spin_unlock(&group->inotify_data.idr_lock);
  	if (ret) {
  		/* idr was out of memory allocate and try again */
-@@ -568,11 +578,17 @@ retry:
+@@ -568,11 +579,17 @@ retry:
  		goto out_err;
  	}
  
@@ -11663,7 +11713,7 @@ index ca44337..7dd3eb4 100644
  	if (ret) {
  		/* we failed to get on the inode, get off the idr */
  		inotify_remove_from_idr(group, tmp_ientry);
-@@ -585,6 +601,12 @@ retry:
+@@ -585,6 +602,12 @@ retry:
  	/* increment the number of watches the user has */
  	atomic_inc(&group->inotify_data.user->inotify_watches);
  
@@ -11676,7 +11726,7 @@ index ca44337..7dd3eb4 100644
  	/* return the watch descriptor for this new entry */
  	ret = tmp_ientry->wd;
  
-@@ -601,17 +623,24 @@ out_err:
+@@ -601,17 +624,24 @@ out_err:
  
  	return ret;
  }
@@ -11704,7 +11754,7 @@ index ca44337..7dd3eb4 100644
  	/*
  	 * inotify_new_watch could race with another thread which did an
  	 * inotify_new_watch between the update_existing and the add watch
-@@ -711,12 +740,12 @@ SYSCALL_DEFINE0(inotify_init)
+@@ -711,12 +741,12 @@ SYSCALL_DEFINE0(inotify_init)
  {
  	return sys_inotify_init1(0);
  }
@@ -11718,7 +11768,7 @@ index ca44337..7dd3eb4 100644
  	struct path path;
  	struct file *filp;
  	int ret, fput_needed;
-@@ -741,12 +770,10 @@ SYSCALL_DEFINE3(inotify_add_watch, int, fd, const char __user *, pathname,
+@@ -741,12 +771,10 @@ SYSCALL_DEFINE3(inotify_add_watch, int, fd, const char __user *, pathname,
  	if (ret)
  		goto fput_and_out;
  
@@ -42370,10 +42420,10 @@ index 0000000..87f6bfd
 +}
 diff --git a/kernel/cpt/cpt_kernel.c b/kernel/cpt/cpt_kernel.c
 new file mode 100644
-index 0000000..5eb7f1c
+index 0000000..3272d81
 --- /dev/null
 +++ b/kernel/cpt/cpt_kernel.c
-@@ -0,0 +1,177 @@
+@@ -0,0 +1,178 @@
 +/*
 + *
 + *  kernel/cpt/cpt_kernel.c
@@ -42420,6 +42470,7 @@ index 0000000..5eb7f1c
 +	regs.ds = __USER_DS;
 +	regs.es = __USER_DS;
 +	regs.fs = __KERNEL_PERCPU;
++	regs.gs = __KERNEL_STACK_CANARY;
 +	regs.orig_ax = -1;
 +	regs.ip = (unsigned long) kernel_thread_helper;
 +	regs.cs = __KERNEL_CS | get_kernel_rpl();
@@ -63674,10 +63725,10 @@ index 0000000..1b82c35
 +
 diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
 new file mode 100644
-index 0000000..7da3e04
+index 0000000..8b59ff7
 --- /dev/null
 +++ b/kernel/ve/ve.c
-@@ -0,0 +1,118 @@
+@@ -0,0 +1,119 @@
 +/*
 + *  linux/kernel/ve/ve.c
 + *
@@ -63757,6 +63808,7 @@ index 0000000..7da3e04
 +	.op_sem			= __RWSEM_INITIALIZER(ve0.op_sem),
 +#ifdef CONFIG_VE_IPTABLES
 +	.ipt_mask 		= VE_IP_ALL,
++	._iptables_modules	= VE_IP_ALL,
 +#endif
 +	.features		= VE_FEATURE_SIT | VE_FEATURE_IPIP |
 +				VE_FEATURE_PPP,
@@ -79048,7 +79100,7 @@ index fe30751..6110691 100644
  	return 0;
  }
 diff --git a/security/device_cgroup.c b/security/device_cgroup.c
-index 6cf8fd2..2d34b00 100644
+index 6cf8fd2..02aeae6 100644
 --- a/security/device_cgroup.c
 +++ b/security/device_cgroup.c
 @@ -12,11 +12,23 @@
@@ -79148,7 +79200,7 @@ index 6cf8fd2..2d34b00 100644
  	}
  	rcu_read_unlock();
  
-@@ -474,37 +527,35 @@ struct cgroup_subsys devices_subsys = {
+@@ -474,38 +527,35 @@ struct cgroup_subsys devices_subsys = {
  	.subsys_id = devices_subsys_id,
  };
  
@@ -79183,17 +79235,19 @@ index 6cf8fd2..2d34b00 100644
 -		if (wh->minor != ~0 && wh->minor != iminor(inode))
 +		if (wh->minor != ~0 && wh->minor != MINOR(device))
  			continue;
- 
+-
++found:
  		if ((mask & MAY_WRITE) && !(wh->access & ACC_WRITE))
  			continue;
  		if ((mask & MAY_READ) && !(wh->access & ACC_READ))
  			continue;
+-found:
 +		if ((mask & MAY_QUOTACTL) && !(wh->access & ACC_QUOTA))
 +			continue;
- found:
  		rcu_read_unlock();
  		return 0;
-@@ -515,6 +566,15 @@ found:
+ 	}
+@@ -515,6 +565,15 @@ found:
  }
  EXPORT_SYMBOL_GPL(devcgroup_inode_permission);
  
@@ -79209,7 +79263,19 @@ index 6cf8fd2..2d34b00 100644
  int devcgroup_inode_mknod(int mode, dev_t dev)
  {
  	struct dev_cgroup *dev_cgroup;
-@@ -550,3 +610,75 @@ found:
+@@ -538,10 +597,9 @@ int devcgroup_inode_mknod(int mode, dev_t dev)
+ 			continue;
+ 		if (wh->minor != ~0 && wh->minor != MINOR(dev))
+ 			continue;
+-
++found:
+ 		if (!(wh->access & ACC_MKNOD))
+ 			continue;
+-found:
+ 		rcu_read_unlock();
+ 		return 0;
+ 	}
+@@ -550,3 +608,75 @@ found:
  
  	return -EPERM;
  }