Index: /trunk/src/VBox/VMM/PGM.cpp
===================================================================
--- /trunk/src/VBox/VMM/PGM.cpp	(revision 30812)
+++ /trunk/src/VBox/VMM/PGM.cpp	(revision 30813)
@@ -1213,8 +1213,13 @@
         pPGM->GCPhysCR3        = NIL_RTGCPHYS;
 
+        pPGM->pGst32BitPdR3    = NULL;
         pPGM->pGstPaePdptR3    = NULL;
+        pPGM->pGstAmd64Pml4R3  = NULL;
 #ifndef VBOX_WITH_2X_4GB_ADDR_SPACE
+        pPGM->pGst32BitPdR0    = NIL_RTR0PTR:
         pPGM->pGstPaePdptR0    = NIL_RTR0PTR;
+        pPGM->pGstAmd64Pml4R0  = NIL_RTR0PTR;
 #endif
+        pPGM->pGst32BitPdRC    = NIL_RTRCPTR;
         pPGM->pGstPaePdptRC    = NIL_RTRCPTR;
         for (unsigned i = 0; i < RT_ELEMENTS(pVCpu->pgm.s.apGstPaePDsR3); i++)
Index: /trunk/src/VBox/VMM/PGMInternal.h
===================================================================
--- /trunk/src/VBox/VMM/PGMInternal.h	(revision 30812)
+++ /trunk/src/VBox/VMM/PGMInternal.h	(revision 30813)
@@ -1165,5 +1165,5 @@
     R3PTRTYPE(void *)                   pvR3;
     /** Live save per page tracking data. */
-    R3PTRTYPE(PPGMLIVESAVERAMPAGE)         paLSPages;
+    R3PTRTYPE(PPGMLIVESAVERAMPAGE)      paLSPages;
     /** The range description. */
     R3PTRTYPE(const char *)             pszDesc;
Index: /trunk/src/VBox/VMM/PGMPhys.cpp
===================================================================
--- /trunk/src/VBox/VMM/PGMPhys.cpp	(revision 30812)
+++ /trunk/src/VBox/VMM/PGMPhys.cpp	(revision 30813)
@@ -3188,5 +3188,5 @@
 }
 
-
+#if 1 /* HC_ARCH_BITS == 32 */
 /**
  * Tree enumeration callback for dealing with age rollover.
@@ -3383,11 +3383,32 @@
             pVM->pgm.s.ChunkR3Map.c--;
 
-            /* Chunk removed, so clear the chunk map TLB; PGMR3PhysChunkInvalidateTLB clears the page map TLB as well. */
-            PGMR3PhysChunkInvalidateTLB(pVM);
-
-            /* Flush all REM caches. */
+            /* Flush dangling PGM pointers (R3 & R0 ptrs to GC physical addresses) */
+            for (VMCPUID idCpu = 0; idCpu < pVM->cCpus; idCpu++)
+            {
+                PVMCPU pVCpu = &pVM->aCpus[idCpu];
+                PPGMCPU pPGM = &pVCpu->pgm.s;
+
+                pPGM->pGst32BitPdR3    = NULL;
+                pPGM->pGstPaePdptR3    = NULL;
+                pPGM->pGstAmd64Pml4R3  = NULL;
+#ifndef VBOX_WITH_2X_4GB_ADDR_SPACE
+                pPGM->pGst32BitPdR0    = NIL_RTR0PTR:
+                pPGM->pGstPaePdptR0    = NIL_RTR0PTR;
+                pPGM->pGstAmd64Pml4R0  = NIL_RTR0PTR;
+#endif
+                for (unsigned i = 0; i < RT_ELEMENTS(pVCpu->pgm.s.apGstPaePDsR3); i++)
+                {
+                    pPGM->apGstPaePDsR3[i]             = NULL;
+#ifndef VBOX_WITH_2X_4GB_ADDR_SPACE
+                    pPGM->apGstPaePDsR0[i]             = NIL_RTR0PTR;
+#endif
+                }
+
+                /* Flush REM TLBs. */
+                CPUMSetChangedFlags(pVCpu, CPUM_CHANGED_GLOBAL_TLB_FLUSH);
+            }
+
+            /* Flush REM translation blocks. */
             REMFlushTBs(pVM);
-            for (VMCPUID idCpu = 0; idCpu < pVM->cCpus; idCpu++)
-                CPUMSetChangedFlags(&pVM->aCpus[idCpu], CPUM_CHANGED_GLOBAL_TLB_FLUSH);
 
             /* Flush the pgm pool cache; call the internal rendezvous handler as we're already in a rendezvous handler here. */
@@ -3410,4 +3431,5 @@
     AssertRC(rc);
 }
+#endif /* HC_ARCH_BITS == 32 */
 
 /**