The bug description and patch in upstream xen-devel mailing list: http://lists.xensource.com/archives/html/xen-devel/2010-11/msg01650.html
handle_gdt_ldt_mapping_fault() is intended to deal with indirect accesses (i.e. those caused by descriptor loads) to the GDT/LDT mapping area only. While for 32-bit segment limits indeed prevent the function being entered for direct accesses (i.e. a #GP fault will be raised even before the address translation gets done, on 64-bit even user mode accesses would lead to control reaching the BUG_ON() at the beginning of that function.
Fortunately the fix is simple: Since the guest kernel runs in ring 3, any guest direct access will have the "user mode" bit set, whereas descriptor loads always do the translations to access the actual descriptors as kernel mode ones.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2011:0017 https://rhn.redhat.com/errata/RHSA-2011-0017.html