diff -Naur xen-4.1.3.orig/xen/arch/x86/domain.c xen-4.1.3/xen/arch/x86/domain.c
--- xen-4.1.3.orig/xen/arch/x86/domain.c	2014-12-05 14:24:41.768853800 +0100
+++ xen-4.1.3/xen/arch/x86/domain.c	2014-12-05 14:49:46.676941589 +0100
@@ -1732,7 +1732,8 @@
 }
 
 #ifdef CONFIG_COMPAT
-int hypercall_xlat_continuation(unsigned int *id, unsigned int mask, ...)
+int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
+                                unsigned int mask, ...)
 {
     int rc = 0;
     struct mc_state *mcs = &current->mc_state;
@@ -1741,7 +1742,10 @@
     unsigned long nval = 0;
     va_list args;
 
-    BUG_ON(id && *id > 5);
+    ASSERT(nr <= ARRAY_SIZE(mcs->call.args));
+    ASSERT(!(mask >> nr));
+
+    BUG_ON(id && *id >= nr);
     BUG_ON(id && (mask & (1U << *id)));
 
     va_start(args, mask);
@@ -1750,7 +1754,7 @@
     {
         if ( !test_bit(_MCSF_call_preempted, &mcs->flags) )
             return 0;
-        for ( i = 0; i < 6; ++i, mask >>= 1 )
+        for ( i = 0; i < nr; ++i, mask >>= 1 )
         {
             if ( mask & 1 )
             {
@@ -1778,7 +1782,7 @@
     else
     {
         regs = guest_cpu_user_regs();
-        for ( i = 0; i < 6; ++i, mask >>= 1 )
+        for ( i = 0; i < nr; ++i, mask >>= 1 )
         {
             unsigned long *reg;
 
diff -Naur xen-4.1.3.orig/xen/arch/x86/x86_64/compat/mm.c xen-4.1.3/xen/arch/x86/x86_64/compat/mm.c
--- xen-4.1.3.orig/xen/arch/x86/x86_64/compat/mm.c	2014-12-05 14:23:47.432274692 +0100
+++ xen-4.1.3/xen/arch/x86/x86_64/compat/mm.c	2014-12-05 14:49:46.680941632 +0100
@@ -128,7 +128,7 @@
             break;
 
         if ( rc == __HYPERVISOR_memory_op )
-            hypercall_xlat_continuation(NULL, 0x2, nat, arg);
+            hypercall_xlat_continuation(NULL, 2, 0x2, nat, arg);
 
         XLAT_pod_target(&cmp, nat);
 
@@ -333,7 +333,7 @@
                 left = 1;
                 if ( arg1 != MMU_UPDATE_PREEMPTED )
                 {
-                    BUG_ON(!hypercall_xlat_continuation(&left, 0x01, nat_ops,
+                    BUG_ON(!hypercall_xlat_continuation(&left, 4, 0x01, nat_ops,
                                                         cmp_uops));
                     if ( !test_bit(_MCSF_in_multicall, &mcs->flags) )
                         regs->_ecx += count - i;
@@ -341,7 +341,7 @@
                         mcs->compat_call.args[1] += count - i;
                 }
                 else
-                    BUG_ON(hypercall_xlat_continuation(&left, 0));
+                    BUG_ON(hypercall_xlat_continuation(&left, 4, 0));
                 BUG_ON(left != arg1);
             }
             else
diff -Naur xen-4.1.3.orig/xen/common/compat/memory.c xen-4.1.3/xen/common/compat/memory.c
--- xen-4.1.3.orig/xen/common/compat/memory.c	2014-12-05 14:22:57.583743564 +0100
+++ xen-4.1.3/xen/common/compat/memory.c	2014-12-05 14:49:46.680941632 +0100
@@ -194,7 +194,7 @@
             return rc;
 
         cmd = 0;
-        if ( hypercall_xlat_continuation(&cmd, 0x02, nat.hnd, compat) )
+        if ( hypercall_xlat_continuation(&cmd, 2, 0x02, nat.hnd, compat) )
         {
             BUG_ON(rc != __HYPERVISOR_memory_op);
             BUG_ON((cmd & MEMOP_CMD_MASK) != op);
diff -Naur xen-4.1.3.orig/xen/include/xen/compat.h xen-4.1.3/xen/include/xen/compat.h
--- xen-4.1.3.orig/xen/include/xen/compat.h	2012-08-10 15:51:54.000000000 +0200
+++ xen-4.1.3/xen/include/xen/compat.h	2014-12-05 14:49:18.000635151 +0100
@@ -185,7 +185,8 @@
     CHECK_FIELD_COMMON_(k, CHECK_NAME_(k, n ## __ ## f1 ## __ ## f2 ## __ ## \
                                        f3, F2), n, f1.f2.f3)
 
-int hypercall_xlat_continuation(unsigned int *id, unsigned int mask, ...);
+int hypercall_xlat_continuation(unsigned int *id, unsigned int nr,
+                                unsigned int mask, ...);
 
 /* In-place translation functons: */
 struct start_info;
