Index: /trunk/src/VBox/VMM/VMMAll/PGMAllHandler.cpp
===================================================================
--- /trunk/src/VBox/VMM/VMMAll/PGMAllHandler.cpp	(revision 19805)
+++ /trunk/src/VBox/VMM/VMMAll/PGMAllHandler.cpp	(revision 19806)
@@ -168,4 +168,5 @@
             rc = VINF_PGM_GCPHYS_ALIASED;
         pVM->pgm.s.fPhysCacheFlushPending = true;
+        pgmUnlock(pVM);
         HWACCMFlushTLB(pVM);
 #ifndef IN_RING3
@@ -174,5 +175,4 @@
         REMR3NotifyHandlerPhysicalRegister(pVM, enmType, GCPhys, GCPhysLast - GCPhys + 1, !!pfnHandlerR3);
 #endif
-        pgmUnlock(pVM);
         if (rc != VINF_SUCCESS)
             Log(("PGMHandlerPhysicalRegisterEx: returns %Rrc (%RGp-%RGp)\n", rc, GCPhys, GCPhysLast));
@@ -268,8 +268,8 @@
          * Clear the page bits and notify the REM about this change.
          */
-        HWACCMFlushTLB(pVM);
         pgmHandlerPhysicalResetRamFlags(pVM, pCur);
         pgmHandlerPhysicalDeregisterNotifyREM(pVM, pCur);
         pgmUnlock(pVM);
+        HWACCMFlushTLB(pVM);
         MMHyperFree(pVM, pCur);
         return VINF_SUCCESS;
@@ -552,6 +552,6 @@
                                                      pCur->Core.KeyLast - GCPhys + 1, !!pCur->pfnHandlerR3, fRestoreAsRAM);
 #endif
+                    pgmUnlock(pVM);
                     HWACCMFlushTLB(pVM);
-                    pgmUnlock(pVM);
                     Log(("PGMHandlerPhysicalModify: GCPhysCurrent=%RGp -> GCPhys=%RGp GCPhysLast=%RGp\n",
                          GCPhysCurrent, GCPhys, GCPhysLast));
@@ -1136,4 +1136,5 @@
     Assert(ppVirt);
 
+    pgmLock(pVM);
     PPGMPHYS2VIRTHANDLER pCur;
     pCur = (PPGMPHYS2VIRTHANDLER)RTAvlroGCPhysRangeGet(&pVM->pgm.s.CTX_SUFF(pTrees)->PhysToVirtHandlers, GCPhys);
@@ -1141,10 +1142,11 @@
     {
         /* found a match! */
+        *ppVirt = (PPGMVIRTHANDLER)((uintptr_t)pCur + pCur->offVirtHandler);
+        *piPage = pCur - &(*ppVirt)->aPhysToVirt[0];
+        pgmUnlock(pVM);
+
 #ifdef VBOX_STRICT_PGM_HANDLER_VIRTUAL
         AssertRelease(pCur->offNextAlias & PGMPHYS2VIRTHANDLER_IS_HEAD);
 #endif
-        *ppVirt = (PPGMVIRTHANDLER)((uintptr_t)pCur + pCur->offVirtHandler);
-        *piPage = pCur - &(*ppVirt)->aPhysToVirt[0];
-
         LogFlow(("PHYS2VIRT: found match for %RGp -> %RGv *piPage=%#x\n", GCPhys, (*ppVirt)->Core.Key, *piPage));
         STAM_PROFILE_STOP(&pVM->pgm.s.CTX_MID_Z(Stat,VirtHandlerSearchByPhys), a);
@@ -1152,4 +1154,5 @@
     }
 
+    pgmUnlock(pVM);
     *ppVirt = NULL;
     STAM_PROFILE_STOP(&pVM->pgm.s.CTX_MID_Z(Stat,VirtHandlerSearchByPhys), a);
@@ -1222,4 +1225,5 @@
     PVM             pVM = (PVM)pvUser;
 
+    Assert(PGMIsLockOwner(pVM));
     /*
      * Iterate the pages and apply the new state.