Index: 2007-01-31/xen/arch/x86/mm.c
===================================================================
--- 2007-01-31.orig/xen/arch/x86/mm.c	2007-01-31 09:42:10.000000000 +0100
+++ 2007-01-31/xen/arch/x86/mm.c	2007-01-31 09:43:38.000000000 +0100
@@ -3248,14 +3248,15 @@ static int ptwr_emulated_update(
     {
         if ( (CONFIG_PAGING_LEVELS == 3 || IS_COMPAT(d)) &&
              (bytes == 4) &&
+             (addr & 4) &&
              !do_cmpxchg &&
              (l1e_get_flags(nl1e) & _PAGE_PRESENT) )
         {
             /*
-             * If this is a half-write to a PAE PTE then we assume that the
-             * guest has simply got the two writes the wrong way round. We
-             * zap the PRESENT bit on the assumption the bottom half will be
-             * written immediately after we return to the guest.
+             * If this is an upper half write to a PAE PTE then we assume
+             * that the guest has simply got the two writes the wrong way
+             * round. We zap the PRESENT bit on the assumption the bottom
+             * half will be written immediately after we return to the guest.
              */
             MEM_LOG("ptwr_emulate: fixing up invalid PAE PTE %"PRIpte,
                     l1e_get_intpte(nl1e));
@@ -3387,7 +3388,7 @@ int ptwr_do_page_fault(struct vcpu *v, u
          (page_get_owner(page) != d) )
         goto bail;
 
-    ptwr_ctxt.ctxt.regs = guest_cpu_user_regs();
+    ptwr_ctxt.ctxt.regs = regs;
     ptwr_ctxt.ctxt.mode = !IS_COMPAT(d) ? X86EMUL_MODE_HOST : X86EMUL_MODE_PROT32;
     ptwr_ctxt.cr2       = addr;
     ptwr_ctxt.pte       = pte;