At the time that mp_bootaddress() is called, phys_avail array does not reflect some memory reservations already done, like kernel placement. Recent changes to DMAP protection which make kernel text read-only in DMAP revealed this, where on some machines AP boot page tables selection appears to intersect with the kernel itself.
Fix this by checking the addresses selected using the same algorithm as bootaddr_rwx(). Also, try to chomp pages for the page table not only at the start of the contiguous range, but also at the end. This should improve robustness when the only suitable range is already consumed by the kernel.
N.B. I think that phys_avail manipulation functions from D16719 can be usefully applied there. At least, this code is very good testing place for that revision.
Reported and tested by: Michael Gmelin <firstname.lastname@example.org>