Index: stand/i386/libi386/amd64_tramp.S
===================================================================
--- stand/i386/libi386/amd64_tramp.S
+++ stand/i386/libi386/amd64_tramp.S
@@ -44,16 +44,6 @@
 
 	.p2align 12,0x40
 
-	.globl	PT4
-PT4:
-	.space	0x1000
-	.globl	PT3
-PT3:
-	.space	0x1000
-	.globl	PT2
-PT2:
-	.space	0x1000
-
 gdtdesc:
 	.word	gdtend - gdt
 	.long	VTOP(gdt)		# low
@@ -87,8 +77,11 @@
 	orl	$CR4_PAE, %eax
 	movl	%eax, %cr4
 
-	/* Set %cr3 for PT4 */
-	movl	$VTOP(PT4), %eax
+	/*
+	 * Set %cr3 for PT4. PT4 is on top of the stack. Pop it off so the args
+	 * we pass to the kernel are all that remain when we call it.
+	 */
+	popl	%eax
 	movl	%eax, %cr3
 
 	/* Turn on paging (implicitly sets EFER.LMA) */
Index: stand/i386/libi386/elf64_freebsd.c
===================================================================
--- stand/i386/libi386/elf64_freebsd.c
+++ stand/i386/libi386/elf64_freebsd.c
@@ -53,9 +53,9 @@
 typedef uint64_t p4_entry_t;
 typedef uint64_t p3_entry_t;
 typedef uint64_t p2_entry_t;
-extern p4_entry_t PT4[];
-extern p3_entry_t PT3[];
-extern p2_entry_t PT2[];
+static p4_entry_t *PT4;
+static p3_entry_t *PT3;
+static p2_entry_t *PT2;
 
 uint32_t entry_hi;
 uint32_t entry_lo;
@@ -84,6 +84,18 @@
     if (err != 0)
 	return(err);
 
+    /*
+     * Put page table just after kernend, and adjust kernend so that this memory
+     * isn't allocated early in boot (for ucode currently) and the page tables
+     * exist through their being replaced.
+     */
+    PT4 = (p4_entry_t *)kernend;
+    kernend += PAGE_SIZE;
+    PT3 = (p3_entry_t *)kernend;
+    kernend += PAGE_SIZE;
+    PT2 = (p2_entry_t *)kernend;
+    kernend += PAGE_SIZE;
+
     bzero(PT4, PAGE_SIZE);
     bzero(PT3, PAGE_SIZE);
     bzero(PT2, PAGE_SIZE);
@@ -113,7 +125,7 @@
 #endif
 
     dev_cleanup();
-    __exec((void *)VTOP(amd64_tramp), modulep, kernend);
+    __exec((void *)VTOP(amd64_tramp), PT4, modulep, kernend);
 
     panic("exec returned");
 }