kern/60284: NetBSD guest kernel panics with qemu + hvf on a MacOS Tahoe 26.5 host

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/60284: NetBSD guest kernel panics with qemu + hvf on a MacOS Tahoe 26.5 host
From: "sunil%nimmagadda.net@localhost via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Thu, 21 May 2026 14:20:00 +0000 (UTC)

>Number:         60284
>Category:       kern
>Synopsis:       NetBSD guest kernel panics with qemu + hvf on a MacOS Tahoe 26.5 host
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu May 21 14:20:00 +0000 2026
>Originator:     Sunil Nimmagadda
>Release:        HEAD
>Organization:
>Environment:
Darwin IN-MV47KDX4PH 25.5.0 Darwin Kernel Version 25.5.0: Mon Apr 27 20:41:15 PDT 2026; root:xnu-12377.121.6~2/RELEASE_ARM64_T6041 arm64
>Description:
Running a NetBSD vm with qemu + hvf acceleration on MacOS with this invocation worked until the update to Tahoe 26.5...

qemu-system-aarch64 \
  -M virt \
  -cpu cortex-a57 \
  -accel hvf \
  -smp 4 \
  -m 8g \
  -nodefaults \
  -nographic \
  -serial mon:stdio \
  -kernel netbsd-GENERIC64.img \
  -append "root=dk1" \
  -drive if=none,file=arm64.img,format=raw,id=hd0 \
  -device virtio-blk-device,drive=hd0 \
  -netdev type=user,id=net0,ipv6=off,hostfwd=tcp:127.0.0.1:2229-:22 \
  -device virtio-net-device,netdev=net0 \
  -object rng-random,filename=/dev/urandom,id=viornd0 \
  -device virtio-rng-device,rng=viornd0 \

After the update on the host the hvf aborts with...
Assertion failed: (write_cpustate_to_list(arm_cpu, false)), function hvf_arch_init_vcpu, file hvf.c, line 1328.
./qemu.sh: line 20: 91674 Abort trap: 6

Trying to use '-cpu host' with qemu like this...

qemu-system-aarch64 \
  -M virt \
  -cpu host \
  -accel hvf \
  -smp 4 \
  -m 8g \
  -nodefaults \
  -nographic \
  -serial mon:stdio \
  -kernel netbsd-GENERIC64.img \
  -append "root=dk1" \
  -drive if=none,file=arm64.img,format=raw,id=hd0 \
  -device virtio-blk-device,drive=hd0 \
  -netdev type=user,id=net0,ipv6=off,hostfwd=tcp:127.0.0.1:2229-:22 \
  -device virtio-net-device,netdev=net0 \
  -object rng-random,filename=/dev/urandom,id=viornd0 \
  -device virtio-rng-device,rng=viornd0 \

results in the NetBSD guest kernel panic...

[   1.0000040] panic: kernel diagnostic assertion "armv8_pmu_detect()" failed: file "/usr/src/sys/dev/tprof/tprof_armv8.c", line 281 
[   1.0000040] cpu3: Begin traceback...
[   1.0000040] trace fp ffffc002b8043c40
[   1.0000040] fp ffffc002b8043c70 vpanic() at ffffc000005e4684 netbsd:vpanic+0x1bc
[   1.0000040] fp ffffc002b8043cd0 kern_assert() at ffffc0000088bff8 netbsd:kern_assert+0x58
[   1.0000040] fp ffffc002b8043d60 armv8_pmu_init() at ffffc000000c9cc4 netbsd:armv8_pmu_init+0xe4
[   1.0000040] fp ffffc002b8043d80 pmu_fdt_init() at ffffc00000078708 netbsd:pmu_fdt_init+0x284
[   1.0000040] fp ffffc002b8043e90 config_interrupts_thread() at ffffc000005bfd50 netbsd:config_interrupts_thread+0xac
[   1.0000040] tf ffffc002b8043ed0 el0_trap() at ffffc000000c07f0 netbsd:el1_trap_exit+0x68
[   1.0722237] cpu3: End traceback...
Stopped in pid 0.113 (system) at        netbsd:cpu_Debugger+0xc:        ldp     

$ qemu-system-aarch64 --version
QEMU emulator version 11.0.0
Copyright (c) 2003-2026 Fabrice Bellard and the QEMU Project developers

Wondering what's the correct cpu to choose for this host and hypervisor combination. 
>How-To-Repeat:
Run the qemu-system-aarch64 commands above on a MacOS with version Tahoe 26.5
>Fix:

Prev by Date: Re: misc/59151: efiboot hangs on new motherboard
Previous by Thread: Re: toolchain/57241 (mips64el--netbsd-install core dumps randomly)
Indexes:

Home | Main Index | Thread Index | Old Index