diff --git a/qemu/accel/tcg/cputlb.c b/qemu/accel/tcg/cputlb.c
index c120d27b..138fc25c 100644
--- a/qemu/accel/tcg/cputlb.c
+++ b/qemu/accel/tcg/cputlb.c
@@ -2156,7 +2156,7 @@ store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
     }
 
     if (uc->snapshot_level && mr->ram && mr->priority < uc->snapshot_level) {
-        mr = memory_cow(uc, mr, addr & TARGET_PAGE_MASK, TARGET_PAGE_SIZE);
+        mr = memory_cow(uc, mr, paddr & TARGET_PAGE_MASK, TARGET_PAGE_SIZE);
         if (!mr) {
             uc->invalid_addr = paddr;
             uc->invalid_error = UC_ERR_NOMEM;
@@ -2164,7 +2164,7 @@ store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
             return;
         }
         /* refill tlb after CoW */
-        tlb_fill(env_cpu(env), paddr, size, MMU_DATA_STORE,
+        tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE,
                  mmu_idx, retaddr);
         index = tlb_index(env, mmu_idx, addr);
         entry = tlb_entry(env, mmu_idx, addr);