--- ./kernel/fork.c.tmve0	2009-10-27 14:53:09.000000000 +0300
+++ ./kernel/fork.c	2009-10-27 15:36:45.000000000 +0300
@@ -77,6 +77,9 @@ EXPORT_SYMBOL(nr_threads);
 
 int max_threads;		/* tunable limit on nr_threads */
 
+#define VE0_ROOT_THREAD_RESERVE 32 /* that many threads ve0 root will be
+				      able to create after hitting the limit */
+
 DEFINE_PER_CPU(unsigned long, process_counts) = 0;
 
 __cacheline_aligned DEFINE_RWLOCK(tasklist_lock);  /* outer */
@@ -1186,8 +1189,17 @@ static struct task_struct *copy_process(
 	 * triggers too late. This doesn't hurt, the check is only there
 	 * to stop root fork bombs.
 	 */
-	if (nr_threads >= max_threads)
-		goto bad_fork_cleanup_count;
+	if (nr_threads >= max_threads) {
+		if (!capable(CAP_SYS_ADMIN))
+			goto bad_fork_cleanup_count;
+		if (nr_threads >= max_threads + VE0_ROOT_THREAD_RESERVE)
+			goto bad_fork_cleanup_count;
+
+		if (printk_ratelimit())
+			printk(KERN_CRIT "Too many threads on node (%d). "
+					"Only ve0 root can fork by now.\n",
+					nr_threads);
+	}
 
 	if (!try_module_get(task_thread_info(p)->exec_domain->module))
 		goto bad_fork_cleanup_count;
