diff --git a/headers/private/kernel/arch/m68k/arch_kernel.h b/headers/private/kernel/arch/m68k/arch_kernel.h
index 1c8886a509..d212052810 100644
--- a/headers/private/kernel/arch/m68k/arch_kernel.h
+++ b/headers/private/kernel/arch/m68k/arch_kernel.h
@@ -20,9 +20,10 @@
 ** region wont be placed there. The 64kb region assures a user space thread cannot pass
 ** a buffer into the kernel as part of a syscall that would cross into kernel space.
 */
-#define USER_BASE   0x100000
-#define USER_SIZE   (0x80000000 - (0x10000 + 0x100000))
-#define USER_TOP    (USER_BASE + USER_SIZE)
+#define USER_BASE     0x100000
+#define USER_BASE_ANY USER_BASE
+#define USER_SIZE     (0x80000000 - (0x10000 + 0x100000))
+#define USER_TOP      (USER_BASE + USER_SIZE)
 
 #define USER_STACK_REGION 0x70000000
 #define USER_STACK_REGION_SIZE (USER_BASE + (USER_SIZE - USER_STACK_REGION))
diff --git a/headers/private/kernel/arch/ppc/arch_kernel.h b/headers/private/kernel/arch/ppc/arch_kernel.h
index 72ed6b81c6..862a54118f 100644
--- a/headers/private/kernel/arch/ppc/arch_kernel.h
+++ b/headers/private/kernel/arch/ppc/arch_kernel.h
@@ -20,9 +20,10 @@
 ** region wont be placed there. The 64kb region assures a user space thread cannot pass
 ** a buffer into the kernel as part of a syscall that would cross into kernel space.
 */
-#define USER_BASE   0x100000
-#define USER_SIZE   (0x80000000 - (0x10000 + 0x100000))
-#define USER_TOP    (USER_BASE + USER_SIZE)
+#define USER_BASE     0x100000
+#define USER_BASE_ANY USER_BASE
+#define USER_SIZE     (0x80000000 - (0x10000 + 0x100000))
+#define USER_TOP      (USER_BASE + USER_SIZE)
 
 #define USER_STACK_REGION 0x70000000
 #define USER_STACK_REGION_SIZE (USER_BASE + (USER_SIZE - USER_STACK_REGION))
diff --git a/headers/private/kernel/arch/x86/arch_kernel.h b/headers/private/kernel/arch/x86/arch_kernel.h
index 586c1bf28d..eaa5e017c5 100644
--- a/headers/private/kernel/arch/x86/arch_kernel.h
+++ b/headers/private/kernel/arch/x86/arch_kernel.h
@@ -1,7 +1,10 @@
 /*
-** Copyright 2001-2002, Travis Geiselbrecht. All rights reserved.
-** Distributed under the terms of the NewOS License.
-*/
+ * Copyright 2004-2008, Haiku Inc. All rights reserved.
+ * Distributes under the terms of the MIT license.
+ *
+ * Copyright 2001-2002, Travis Geiselbrecht. All rights reserved.
+ * Distributed under the terms of the NewOS License.
+ */
 #ifndef _KERNEL_ARCH_x86_KERNEL_H
 #define _KERNEL_ARCH_x86_KERNEL_H
 
@@ -14,19 +17,22 @@
 #define KERNEL_SIZE 0x80000000
 #define KERNEL_TOP  (KERNEL_BASE + (KERNEL_SIZE - 1))
 
-/*
-** User space layout is a little special:
-** The user space does not completely cover the space not covered by the kernel.
-** This is accomplished by starting user space at 1Mb and running to 64kb short of kernel space.
-** The lower 1Mb reserved spot makes it easy to find null pointer references and guarantees a
-** region wont be placed there. The 64kb region assures a user space thread cannot pass
-** a buffer into the kernel as part of a syscall that would cross into kernel space.
-*/
-#define USER_BASE   0x100000
-#define USER_SIZE   (0x80000000 - (0x10000 + 0x100000))
-#define USER_TOP    (USER_BASE + USER_SIZE)
+/* User space layout is a little special:
+ * The user space does not completely cover the space not covered by the
+ * kernel. There is a gap of 64kb between the user and kernel space. The 64kb
+ * region assures a user space thread cannot pass a buffer into the kernel as
+ * part of a syscall that would cross into kernel space.
+ * Furthermore no areas are placed in the lower 1Mb unless the application
+ * explicitly requests it to find null pointer references.
+ * TODO: introduce the 1Mb lower barrier again - it's only used for vm86 mode,
+ *	and this should be moved into the kernel (and address space) completely.
+ */
+#define USER_BASE     0x00
+#define USER_BASE_ANY 0x100000
+#define USER_SIZE     (KERNEL_BASE - 0x10000)
+#define USER_TOP      (USER_BASE + USER_SIZE)
 
 #define USER_STACK_REGION 0x70000000
 #define USER_STACK_REGION_SIZE (USER_TOP - USER_STACK_REGION)
 
-#endif /* _KERNEL_ARCH_x86_KERNEL_H */
+#endif	/* _KERNEL_ARCH_x86_KERNEL_H */
diff --git a/src/system/kernel/vm/vm.cpp b/src/system/kernel/vm/vm.cpp
index b936e71f3d..9cbf59db62 100644
--- a/src/system/kernel/vm/vm.cpp
+++ b/src/system/kernel/vm/vm.cpp
@@ -1139,12 +1139,11 @@ second_chance:
 }
 
 
-/**	This inserts the area you pass into the specified address space.
- *	It will also set the "_address" argument to its base address when
- *	the call succeeds.
- *	You need to hold the vm_address_space semaphore.
- */
-
+/*!	This inserts the area you pass into the specified address space.
+	It will also set the "_address" argument to its base address when
+	the call succeeds.
+	You need to hold the vm_address_space semaphore.
+*/
 static status_t
 insert_area(vm_address_space *addressSpace, void **_address,
 	uint32 addressSpec, addr_t size, vm_area *area)
@@ -1167,6 +1166,10 @@ insert_area(vm_address_space *addressSpace, void **_address,
 		case B_ANY_KERNEL_ADDRESS:
 		case B_ANY_KERNEL_BLOCK_ADDRESS:
 			searchBase = addressSpace->base;
+			// TODO: remove this again when vm86 mode is moved into the kernel
+			// completely (currently needs a userland address space!)
+			if (searchBase == USER_BASE)
+				searchBase = USER_BASE_ANY;
 			searchEnd = addressSpace->base + (addressSpace->size - 1);
 			break;
 
@@ -1175,7 +1178,7 @@ insert_area(vm_address_space *addressSpace, void **_address,
 	}
 
 	status = find_and_insert_area_slot(addressSpace, searchBase, size,
-				searchEnd, addressSpec, area);
+		searchEnd, addressSpec, area);
 	if (status == B_OK) {
 		// ToDo: do we have to do anything about B_ANY_KERNEL_ADDRESS
 		//		vs. B_ANY_KERNEL_BLOCK_ADDRESS here?