Index: marea.c
===================================================================
--- ntoskrnl/mm/marea.c	(revision 72155)
+++ ntoskrnl/mm/marea.c	(working copy)
@@ -175,7 +175,8 @@
     marea->VadNode.u.VadFlags.Protection = MiMakeProtectionMask(marea->Protect);
 
     /* Build a lame VAD if this is a user-space allocation */
-    if (MA_GetEndingAddress(marea) < (ULONG_PTR)MmSystemRangeStart)
+    if (MA_GetEndingAddress(marea) < (ULONG_PTR)MmSystemRangeStart &&
+        marea->EndingVpn != 0xfffff)
     {
         ASSERT(Process != NULL);
         if (marea->Type != MEMORY_AREA_OWNED_BY_ARM3)
@@ -378,6 +379,9 @@
         }
     }
 
+#if DBG
+    MemoryArea->Magic = 'daeD';
+#endif
     ExFreePoolWithTag(MemoryArea, TAG_MAREA);
 
     DPRINT("MmFreeMemoryAreaByNode() succeeded\n");
@@ -481,7 +485,7 @@
     {
         EndingAddress = ((ULONG_PTR)*BaseAddress + Length - 1) | (PAGE_SIZE - 1);
         *BaseAddress = ALIGN_DOWN_POINTER_BY(*BaseAddress, Granularity);
-        tmpLength = EndingAddress + 1 - (ULONG_PTR)*BaseAddress;
+        tmpLength = EndingAddress - (ULONG_PTR)*BaseAddress;
 
         if (!MmGetAddressSpaceOwner(AddressSpace) && *BaseAddress < MmSystemRangeStart)
         {
Index: mminit.c
===================================================================
--- ntoskrnl/mm/mminit.c	(revision 72155)
+++ ntoskrnl/mm/mminit.c	(working copy)
@@ -100,21 +100,15 @@
     // Paged pool
     MiCreateArm3StaticMemoryArea(MmPagedPoolStart, MmSizeOfPagedPoolInBytes, FALSE);
 
-#ifndef _M_AMD64
-    // KPCR, one page per CPU. Only for 32-bit kernel.
-    MiCreateArm3StaticMemoryArea(PCR, PAGE_SIZE * KeNumberProcessors, FALSE);
-#endif
-
-    // KUSER_SHARED_DATA
-    MiCreateArm3StaticMemoryArea((PVOID)KI_USER_SHARED_DATA, PAGE_SIZE, FALSE);
-
     // Debugger mapping
     MiCreateArm3StaticMemoryArea(MI_DEBUG_MAPPING, PAGE_SIZE, FALSE);
 
 #if defined(_X86_)
-    // Reserve the 2 pages we currently make use of for HAL mappings.
-    // TODO: Remove hard-coded constant and replace with a define.
-    MiCreateArm3StaticMemoryArea((PVOID)0xFFC00000, PAGE_SIZE * 2, FALSE);
+    // Reserved HAL area (includes KUSER_SHARED_DATA and KPCR)
+    MiCreateArm3StaticMemoryArea((PVOID)MM_HAL_VA_START, MM_HAL_VA_END - MM_HAL_VA_START + 1, FALSE);
+#else
+    // KUSER_SHARED_DATA
+    MiCreateArm3StaticMemoryArea((PVOID)KI_USER_SHARED_DATA, PAGE_SIZE, FALSE);
 #endif
 }