diff --git a/target-cris/helper.c b/target-cris/helper.c
index a12ac10ee0..ff4f2fe1da 100644
--- a/target-cris/helper.c
+++ b/target-cris/helper.c
@@ -172,8 +172,6 @@ void do_interrupt(CPUState *env)
 		env->dslot = 0;
 	}
 	
-	env->pc = ldl_code(env->pregs[PR_EBP] + ex_vec * 4);
-
 	if (env->pregs[PR_CCS] & U_FLAG) {
 		/* Swap stack pointers.  */
 		env->pregs[PR_USP] = env->regs[R_SP];
@@ -182,6 +180,10 @@ void do_interrupt(CPUState *env)
 
 	/* Apply the CRIS CCS shift. Clears U if set.  */
 	cris_shift_ccs(env);
+
+	/* Now that we are in kernel mode, load the handlers address.  */
+	env->pc = ldl_code(env->pregs[PR_EBP] + ex_vec * 4);
+
 	D_LOG("%s isr=%x vec=%x ccs=%x pid=%d erp=%x\n", 
 		   __func__, env->pc, ex_vec, 
 		   env->pregs[PR_CCS],
diff --git a/target-cris/mmu.c b/target-cris/mmu.c
index bc5b7105d1..b6892bbbf2 100644
--- a/target-cris/mmu.c
+++ b/target-cris/mmu.c
@@ -345,7 +345,7 @@ int cris_mmu_translate(struct cris_mmu_result *res,
 	}
 
 	seg = vaddr >> 28;
-	if (cris_mmu_segmented_addr(seg, env->sregs[SFR_RW_MM_CFG]))
+	if (!is_user && cris_mmu_segmented_addr(seg, env->sregs[SFR_RW_MM_CFG]))
 	{
 		uint32_t base;