Merge pull request #113 from AFLplusplus/update_qemu_v10_0_0

Update QEMU to v10.0.0
2025-05-02 20:29:16 +02:00 · 2025-05-02 20:29:16 +02:00 · 54b1f3f8d9
commit 54b1f3f8d9
parent 97bef506ee 13757ee0e9
3151 changed files with 94717 additions and 45990 deletions
--- a/.b4-config
+++ b/.b4-config
@ -0,0 +1,14 @@
 #
 # Common b4 settings that can be used to send patches to QEMU upstream.
 # https://b4.docs.kernel.org/
 #
 [b4]
    send-series-to = qemu-devel@nongnu.org
    send-auto-to-cmd = echo
    send-auto-cc-cmd = scripts/get_maintainer.pl --noroles --norolestats --nogit --nogit-fallback
    am-perpatch-check-cmd = scripts/checkpatch.pl -q --terse --no-summary --mailback -
    prep-perpatch-check-cmd = scripts/checkpatch.pl -q --terse --no-summary --mailback -
    searchmask = https://lore.kernel.org/qemu-devel/?x=m&t=1&q=%s
    linkmask = https://lore.kernel.org/qemu-devel/%s
    linktrailermask = Message-ID: <%s>
--- a/.editorconfig
+++ b/.editorconfig
@ -47,3 +47,16 @@ emacs_mode = glsl
 [*.json]
 indent_style = space
 emacs_mode = python
 # by default follow QEMU's style
 [*.pl]
 indent_style = space
 indent_size = 4
 emacs_mode = perl
 # but user kernel "style" for imported scripts
 [scripts/{kernel-doc,get_maintainer.pl,checkpatch.pl}]
 indent_style = tab
 indent_size = 8
 emacs_mode = perl
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@ -5,6 +5,7 @@ on:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:
 env:
  CARGO_TERM_COLOR: always
--- a/.gitlab-ci.d/buildtest.yml
+++ b/.gitlab-ci.d/buildtest.yml
@ -40,7 +40,7 @@ build-system-ubuntu:
    job: amd64-ubuntu2204-container
  variables:
    IMAGE: ubuntu2204
-    CONFIGURE_ARGS: --enable-docs
+    CONFIGURE_ARGS: --enable-docs --enable-rust
    TARGETS: alpha-softmmu microblazeel-softmmu mips64el-softmmu
    MAKE_CHECK_ARGS: check-build
@ -71,7 +71,7 @@ build-system-debian:
    job: amd64-debian-container
  variables:
    IMAGE: debian
-    CONFIGURE_ARGS: --with-coroutine=sigaltstack
+    CONFIGURE_ARGS: --with-coroutine=sigaltstack --enable-rust
    TARGETS: arm-softmmu i386-softmmu riscv64-softmmu sh4eb-softmmu
      sparc-softmmu xtensa-softmmu
    MAKE_CHECK_ARGS: check-build
@ -131,6 +131,12 @@ build-system-fedora-rust-nightly:
    CONFIGURE_ARGS: --disable-docs --enable-rust --enable-strict-rust-lints
    TARGETS: aarch64-softmmu
    MAKE_CHECK_ARGS: check-build
  after_script:
    - source scripts/ci/gitlab-ci-section
    - section_start test "Running Rust doctests"
    - cd build
    - pyvenv/bin/meson devenv -w ../rust ${CARGO-cargo} test --doc -p qemu_api
  allow_failure: true
 check-system-fedora:
--- a/.gitlab-ci.d/check-dco.py
+++ b/.gitlab-ci.d/check-dco.py
@ -21,7 +21,7 @@ repourl = "https://gitlab.com/%s/%s.git" % (namespace, reponame)
 print(f"adding upstream git repo @ {repourl}")
 subprocess.check_call(["git", "remote", "add", "check-dco", repourl])
-subprocess.check_call(["git", "fetch", "check-dco", "master"])
+subprocess.check_call(["git", "fetch", "--refetch", "check-dco", "master"])
 ancestor = subprocess.check_output(["git", "merge-base",
                                    "check-dco/master", "HEAD"],
--- a/.gitlab-ci.d/check-patch.py
+++ b/.gitlab-ci.d/check-patch.py
@ -24,7 +24,7 @@ print(f"adding upstream git repo @ {repourl}")
 # base for the user's branch. We thus need to figure out a common
 # ancestor between the user's branch and current git master.
 subprocess.check_call(["git", "remote", "add", "check-patch", repourl])
-subprocess.check_call(["git", "fetch", "check-patch", "master"])
+subprocess.check_call(["git", "fetch", "--refetch", "check-patch", "master"])
 ancestor = subprocess.check_output(["git", "merge-base",
                                    "check-patch/master", "HEAD"],
--- a/.gitlab-ci.d/check-units.py
+++ b/.gitlab-ci.d/check-units.py
@ -0,0 +1,66 @@
 #!/usr/bin/env python3
 #
 # check-units.py: check the number of compilation units and identify
 #                 those that are rebuilt multiple times
 #
 # Copyright (C) 2025 Linaro Ltd.
 #
 # SPDX-License-Identifier: GPL-2.0-or-later
 from os import access, R_OK, path
 from sys import argv, exit
 import json
 from collections import Counter
 def extract_build_units(cc_path):
    """
    Extract the build units and their counds from compile_commands.json file.
    Returns:
        Hash table of ["unit"] = count
    """
    j = json.load(open(cc_path, 'r'))
    files = [f['file'] for f in j]
    build_units = Counter(files)
    return build_units
 def analyse_units(build_units):
    """
    Analyse the build units and report stats and the top 10 rebuilds
    """
    print(f"Total source files: {len(build_units.keys())}")
    print(f"Total build units: {sum(units.values())}")
    # Create a sorted list by number of rebuilds
    sorted_build_units = sorted(build_units.items(),
                                key=lambda item: item[1],
                                reverse=True)
    print("Most rebuilt units:")
    for unit, count in sorted_build_units[:20]:
        print(f"  {unit} built {count} times")
    print("Least rebuilt units:")
    for unit, count in sorted_build_units[-10:]:
        print(f"  {unit} built {count} times")
 if __name__ == "__main__":
    if len(argv) != 2:
        script_name = path.basename(argv[0])
        print(f"Usage: {script_name} <path_to_compile_commands.json>")
        exit(1)
    cc_path = argv[1]
    if path.isfile(cc_path) and access(cc_path, R_OK):
        units = extract_build_units(cc_path)
        analyse_units(units)
        exit(0)
    else:
        print(f"{cc_path} doesn't exist or isn't readable")
        exit(1)
--- a/.gitlab-ci.d/cirrus.yml
+++ b/.gitlab-ci.d/cirrus.yml
@ -15,32 +15,17 @@
  stage: build
  image: registry.gitlab.com/libvirt/libvirt-ci/cirrus-run:latest
  needs: []
  allow_failure:
    exit_codes: 3
  # 20 mins larger than "timeout_in" in cirrus/build.yml
  # as there's often a 5-10 minute delay before Cirrus CI
  # actually starts the task
  timeout: 80m
  script:
    - set -o allexport
    - source .gitlab-ci.d/cirrus/$NAME.vars
-    - sed -e "s|[@]CI_REPOSITORY_URL@|$CI_REPOSITORY_URL|g"
+    - set +o allexport
-          -e "s|[@]CI_COMMIT_REF_NAME@|$CI_COMMIT_REF_NAME|g"
+    - cirrus-vars <.gitlab-ci.d/cirrus/build.yml >.gitlab-ci.d/cirrus/$NAME.yml
          -e "s|[@]CI_COMMIT_SHA@|$CI_COMMIT_SHA|g"
          -e "s|[@]CIRRUS_VM_INSTANCE_TYPE@|$CIRRUS_VM_INSTANCE_TYPE|g"
          -e "s|[@]CIRRUS_VM_IMAGE_SELECTOR@|$CIRRUS_VM_IMAGE_SELECTOR|g"
          -e "s|[@]CIRRUS_VM_IMAGE_NAME@|$CIRRUS_VM_IMAGE_NAME|g"
          -e "s|[@]CIRRUS_VM_CPUS@|$CIRRUS_VM_CPUS|g"
          -e "s|[@]CIRRUS_VM_RAM@|$CIRRUS_VM_RAM|g"
          -e "s|[@]UPDATE_COMMAND@|$UPDATE_COMMAND|g"
          -e "s|[@]INSTALL_COMMAND@|$INSTALL_COMMAND|g"
          -e "s|[@]PATH@|$PATH_EXTRA${PATH_EXTRA:+:}\$PATH|g"
          -e "s|[@]PKG_CONFIG_PATH@|$PKG_CONFIG_PATH|g"
          -e "s|[@]PKGS@|$PKGS|g"
          -e "s|[@]MAKE@|$MAKE|g"
          -e "s|[@]PYTHON@|$PYTHON|g"
          -e "s|[@]PIP3@|$PIP3|g"
          -e "s|[@]PYPI_PKGS@|$PYPI_PKGS|g"
          -e "s|[@]CONFIGURE_ARGS@|$CONFIGURE_ARGS|g"
          -e "s|[@]TEST_TARGETS@|$TEST_TARGETS|g"
      <.gitlab-ci.d/cirrus/build.yml >.gitlab-ci.d/cirrus/$NAME.yml
    - cat .gitlab-ci.d/cirrus/$NAME.yml
    - cirrus-run -v --show-build-log always .gitlab-ci.d/cirrus/$NAME.yml
  variables:
--- a/.gitlab-ci.d/cirrus/build.yml
+++ b/.gitlab-ci.d/cirrus/build.yml
@ -8,7 +8,7 @@ env:
  CI_REPOSITORY_URL: "@CI_REPOSITORY_URL@"
  CI_COMMIT_REF_NAME: "@CI_COMMIT_REF_NAME@"
  CI_COMMIT_SHA: "@CI_COMMIT_SHA@"
-  PATH: "@PATH@"
+  PATH: "@PATH_EXTRA@:$PATH"
  PKG_CONFIG_PATH: "@PKG_CONFIG_PATH@"
  PYTHON: "@PYTHON@"
  MAKE: "@MAKE@"
--- a/.gitlab-ci.d/cirrus/freebsd-14.vars
+++ b/.gitlab-ci.d/cirrus/freebsd-14.vars
@ -11,6 +11,6 @@ MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
 PACKAGING_COMMAND='pkg'
 PIP3='/usr/local/bin/pip'
-PKGS='alsa-lib bash bison bzip2 ca_root_nss capstone4 ccache cmocka ctags curl cyrus-sasl dbus diffutils dtc flex fusefs-libs3 gettext git glib gmake gnutls gsed gtk-vnc gtk3 json-c libepoxy libffi libgcrypt libjpeg-turbo libnfs libslirp libspice-server libssh libtasn1 llvm lzo2 meson mtools ncurses nettle ninja opencv pixman pkgconf png py311-numpy py311-pillow py311-pip py311-pyyaml py311-sphinx py311-sphinx_rtd_theme py311-tomli python3 rpm2cpio rust rust-bindgen-cli sdl2 sdl2_image snappy sndio socat spice-protocol tesseract usbredir virglrenderer vte3 xorriso zstd'
+PKGS='alsa-lib bash bison bzip2 ca_root_nss capstone4 ccache4 cmocka ctags curl cyrus-sasl dbus diffutils dtc flex fusefs-libs3 gettext git glib gmake gnutls gsed gtk-vnc gtk3 json-c libepoxy libffi libgcrypt libjpeg-turbo libnfs libslirp libspice-server libssh libtasn1 llvm lzo2 meson mtools ncurses nettle ninja opencv pixman pkgconf png py311-numpy py311-pillow py311-pip py311-pyyaml py311-sphinx py311-sphinx_rtd_theme py311-tomli python3 rpm2cpio rust rust-bindgen-cli sdl2 sdl2_image snappy sndio socat spice-protocol tesseract usbredir virglrenderer vte3 vulkan-tools xorriso zstd'
 PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'
--- a/.gitlab-ci.d/cirrus/macos-14.vars
+++ b/.gitlab-ci.d/cirrus/macos-14.vars
@ -11,6 +11,6 @@ MAKE='/opt/homebrew/bin/gmake'
 NINJA='/opt/homebrew/bin/ninja'
 PACKAGING_COMMAND='brew'
 PIP3='/opt/homebrew/bin/pip3'
-PKGS='bash bc bindgen bison bzip2 capstone ccache cmocka ctags curl dbus diffutils dtc flex gcovr gettext git glib gnu-sed gnutls gtk+3 gtk-vnc jemalloc jpeg-turbo json-c libcbor libepoxy libffi libgcrypt libiscsi libnfs libpng libslirp libssh libtasn1 libusb llvm lzo make meson mtools ncurses nettle ninja pixman pkg-config python3 rpm2cpio rust sdl2 sdl2_image snappy socat sparse spice-protocol swtpm tesseract usbredir vde vte3 xorriso zlib zstd'
+PKGS='bash bc bindgen bison bzip2 capstone ccache cmocka ctags curl dbus diffutils dtc flex gcovr gettext git glib gnu-sed gnutls gtk+3 gtk-vnc jemalloc jpeg-turbo json-c libcbor libepoxy libffi libgcrypt libiscsi libnfs libpng libslirp libssh libtasn1 libusb llvm lzo make meson mtools ncurses nettle ninja pixman pkg-config python3 rpm2cpio rust sdl2 sdl2_image snappy socat sparse spice-protocol swtpm tesseract usbredir vde vte3 vulkan-tools xorriso zlib zstd'
 PYPI_PKGS='PyYAML numpy pillow sphinx sphinx-rtd-theme tomli'
 PYTHON='/opt/homebrew/bin/python3'
--- a/.gitlab-ci.d/crossbuilds.yml
+++ b/.gitlab-ci.d/crossbuilds.yml
@ -61,7 +61,7 @@ cross-i686-tci:
  variables:
    IMAGE: debian-i686-cross
    ACCEL: tcg-interpreter
-    EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user --disable-plugins --disable-kvm
+    EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,arm-softmmu,arm-linux-user,ppc-softmmu,ppc-linux-user --disable-plugins --disable-kvm
    # Force tests to run with reduced parallelism, to see whether this
    # reduces the flakiness of this CI job. The CI
    # environment by default shows us 8 CPUs and so we
--- a/.gitlab-ci.d/static_checks.yml
+++ b/.gitlab-ci.d/static_checks.yml
@ -46,3 +46,49 @@ check-python-tox:
    QEMU_JOB_OPTIONAL: 1
  needs:
    job: python-container
 check-rust-tools-nightly:
  extends: .base_job_template
  stage: test
  image: $CI_REGISTRY_IMAGE/qemu/fedora-rust-nightly:$QEMU_CI_CONTAINER_TAG
  script:
    - source scripts/ci/gitlab-ci-section
    - section_start test "Running Rust code checks"
    - cd build
    - pyvenv/bin/meson devenv -w ../rust ${CARGO-cargo} fmt --check
    - make clippy
    - make rustdoc
    - section_end test
  variables:
    GIT_DEPTH: 1
  allow_failure: true
  needs:
    - job: build-system-fedora-rust-nightly
      artifacts: true
  artifacts:
    when: on_success
    expire_in: 2 days
    paths:
      - rust/target/doc
 check-build-units:
  extends: .base_job_template
  stage: build
  image: $CI_REGISTRY_IMAGE/qemu/debian:$QEMU_CI_CONTAINER_TAG
  needs:
    job: amd64-debian-container
  before_script:
    - source scripts/ci/gitlab-ci-section
    - section_start setup "Install Tools"
    - apt install --assume-yes --no-install-recommends jq
    - section_end setup
  script:
    - mkdir build
    - cd build
    - section_start configure "Running configure"
    - ../configure
    - cd ..
    - section_end configure
    - section_start analyse "Analyse"
    - .gitlab-ci.d/check-units.py build/compile_commands.json
    - section_end analyse
--- a/.mailmap
+++ b/.mailmap
@ -67,6 +67,7 @@ Andrey Drobyshev <andrey.drobyshev@virtuozzo.com> Andrey Drobyshev via <qemu-blo
 BALATON Zoltan <balaton@eik.bme.hu> BALATON Zoltan via <qemu-ppc@nongnu.org>
 # Next, replace old addresses by a more recent one.
 Akihiko Odaki <akihiko.odaki@daynix.com> <akihiko.odaki@gmail.com>
 Aleksandar Markovic <aleksandar.qemu.devel@gmail.com> <aleksandar.markovic@mips.com>
 Aleksandar Markovic <aleksandar.qemu.devel@gmail.com> <aleksandar.markovic@imgtec.com>
 Aleksandar Markovic <aleksandar.qemu.devel@gmail.com> <amarkovic@wavecomp.com>
@ -87,8 +88,9 @@ Huacai Chen <chenhuacai@kernel.org> <chenhc@lemote.com>
 Huacai Chen <chenhuacai@kernel.org> <chenhuacai@loongson.cn>
 James Hogan <jhogan@kernel.org> <james.hogan@imgtec.com>
 Juan Quintela <quintela@trasno.org> <quintela@redhat.com>
-Leif Lindholm <quic_llindhol@quicinc.com> <leif.lindholm@linaro.org>
+Leif Lindholm <leif.lindholm@oss.qualcomm.com> <quic_llindhol@quicinc.com>
-Leif Lindholm <quic_llindhol@quicinc.com> <leif@nuviainc.com>
+Leif Lindholm <leif.lindholm@oss.qualcomm.com> <leif.lindholm@linaro.org>
 Leif Lindholm <leif.lindholm@oss.qualcomm.com> <leif@nuviainc.com>
 Luc Michel <luc@lmichel.fr> <luc.michel@git.antfield.fr>
 Luc Michel <luc@lmichel.fr> <luc.michel@greensocs.com>
 Luc Michel <luc@lmichel.fr> <lmichel@kalray.eu>
--- a/Kconfig.host
+++ b/Kconfig.host
@ -61,3 +61,6 @@ config HV_BALLOON_POSSIBLE
 config HAVE_RUST
    bool
 config MAC_PVG
    bool
--- a/273
+++ b/273
@ -72,11 +72,14 @@ R: Markus Armbruster <armbru@redhat.com>
 R: Philippe Mathieu-Daudé <philmd@linaro.org>
 W: https://www.qemu.org/docs/master/devel/index.html
 S: Odd Fixes
-F: docs/devel/style.rst
+F: docs/devel/build-environment.rst
 F: docs/devel/code-of-conduct.rst
 F: docs/devel/codebase.rst
 F: docs/devel/conflict-resolution.rst
 F: docs/devel/style.rst
 F: docs/devel/submitting-a-patch.rst
 F: docs/devel/submitting-a-pull-request.rst
 F: docs/glossary.rst
 Responsible Disclosure, Reporting Security Issues
 -------------------------------------------------
@ -118,7 +121,7 @@ F: pc-bios/s390-ccw.img
 F: target/s390x/
 F: docs/system/target-s390x.rst
 F: docs/system/s390x/
-F: tests/migration/s390x/
+F: tests/qtest/migration/s390x/
 K: ^Subject:.*(?i)s390x?
 L: qemu-s390x@nongnu.org
@ -149,10 +152,7 @@ Overall TCG CPUs
 M: Richard Henderson <richard.henderson@linaro.org>
 R: Paolo Bonzini <pbonzini@redhat.com>
 S: Maintained
 F: system/cpus.c
 F: system/watchpoint.c
 F: cpu-common.c
 F: cpu-target.c
 F: page-vary-target.c
 F: page-vary-common.c
 F: accel/tcg/
@ -162,17 +162,13 @@ F: util/cacheflush.c
 F: scripts/decodetree.py
 F: docs/devel/decodetree.rst
 F: docs/devel/tcg*
 F: include/exec/cpu*.h
 F: include/exec/exec-all.h
 F: include/exec/tb-flush.h
 F: include/exec/target_long.h
 F: include/exec/helper*.h
 F: include/exec/helper*.h.inc
 F: include/exec/helper-info.c.inc
 F: include/exec/page-protection.h
-F: include/sysemu/cpus.h
+F: include/system/tcg.h
-F: include/sysemu/tcg.h
+F: include/accel/tcg/cpu-ops.h
 F: include/hw/core/tcg-cpu-ops.h
 F: host/include/*/host/cpuinfo.h
 F: util/cpuinfo-*.c
 F: include/tcg/
@ -226,7 +222,7 @@ F: target/avr/
 F: tests/functional/test_avr_mega2560.py
 Hexagon TCG CPUs
-M: Brian Cain <bcain@oss.qualcomm.com>
+M: Brian Cain <brian.cain@oss.qualcomm.com>
 S: Supported
 F: target/hexagon/
 X: target/hexagon/idef-parser/
@ -248,6 +244,7 @@ F: target/hexagon/gen_idef_parser_funcs.py
 HPPA (PA-RISC) TCG CPUs
 M: Richard Henderson <richard.henderson@linaro.org>
 M: Helge Deller <deller@gmx.de>
 S: Maintained
 F: target/hppa/
 F: disas/hppa.c
@ -315,7 +312,6 @@ F: tests/functional/test_ppc_74xx.py
 RISC-V TCG CPUs
 M: Palmer Dabbelt <palmer@dabbelt.com>
 M: Alistair Francis <alistair.francis@wdc.com>
 M: Bin Meng <bmeng.cn@gmail.com>
 R: Weiwei Li <liwei1518@gmail.com>
 R: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
 R: Liu Zhiwei <zhiwei_liu@linux.alibaba.com>
@ -323,9 +319,12 @@ L: qemu-riscv@nongnu.org
 S: Supported
 F: configs/targets/riscv*
 F: docs/system/target-riscv.rst
 F: docs/specs/riscv-iommu.rst
 F: target/riscv/
 F: hw/char/riscv_htif.c
 F: hw/riscv/
 F: hw/intc/riscv*
 F: include/hw/char/riscv_htif.h
 F: include/hw/riscv/
 F: linux-user/host/riscv32/
 F: linux-user/host/riscv64/
@ -434,7 +433,7 @@ F: */*/kvm*
 F: accel/kvm/
 F: accel/stubs/kvm-stub.c
 F: include/hw/kvm/
-F: include/sysemu/kvm*.h
+F: include/system/kvm*.h
 F: scripts/kvm/kvm_flightrecorder
 ARM KVM CPUs
@ -447,7 +446,7 @@ MIPS KVM CPUs
 M: Huacai Chen <chenhuacai@kernel.org>
 S: Odd Fixes
 F: target/mips/kvm*
-F: target/mips/sysemu/
+F: target/mips/system/
 PPC KVM CPUs
 M: Nicholas Piggin <npiggin@gmail.com>
@ -481,10 +480,10 @@ Xen emulation on X86 KVM CPUs
 M: David Woodhouse <dwmw2@infradead.org>
 M: Paul Durrant <paul@xen.org>
 S: Supported
-F: include/sysemu/kvm_xen.h
+F: include/system/kvm_xen.h
 F: target/i386/kvm/xen*
 F: hw/i386/kvm/xen*
-F: tests/avocado/kvm_xen_guest.py
+F: tests/functional/test_x86_64_kvm_xen.py
 Guest CPU Cores (other accelerators)
 ------------------------------------
@ -492,12 +491,19 @@ Overall
 M: Richard Henderson <richard.henderson@linaro.org>
 R: Paolo Bonzini <pbonzini@redhat.com>
 S: Maintained
 F: include/exec/cpu*.h
 F: include/exec/exec-all.h
 F: include/exec/target_long.h
 F: include/qemu/accel.h
-F: include/sysemu/accel-*.h
+F: include/system/accel-*.h
-F: include/hw/core/accel-cpu.h
+F: include/system/cpus.h
 F: include/accel/accel-cpu-target.h
 F: accel/accel-*.c
 F: accel/Makefile.objs
 F: accel/stubs/Makefile.objs
 F: cpu-common.c
 F: cpu-target.c
 F: system/cpus.c
 Apple Silicon HVF CPUs
 M: Alexander Graf <agraf@csgraf.de>
@ -507,6 +513,7 @@ F: target/arm/hvf/
 X86 HVF CPUs
 M: Cameron Esfahani <dirty@apple.com>
 M: Roman Bolshakov <rbolshakov@ddn.com>
 R: Phil Dennis-Jordan <phil@philjordan.eu>
 W: https://wiki.qemu.org/Features/HVF
 S: Maintained
 F: target/i386/hvf/
@ -514,17 +521,18 @@ F: target/i386/hvf/
 HVF
 M: Cameron Esfahani <dirty@apple.com>
 M: Roman Bolshakov <rbolshakov@ddn.com>
 R: Phil Dennis-Jordan <phil@philjordan.eu>
 W: https://wiki.qemu.org/Features/HVF
 S: Maintained
 F: accel/hvf/
-F: include/sysemu/hvf.h
+F: include/system/hvf.h
-F: include/sysemu/hvf_int.h
+F: include/system/hvf_int.h
 WHPX CPUs
 M: Sunil Muthuswamy <sunilmut@microsoft.com>
 S: Supported
 F: target/i386/whpx/
-F: include/sysemu/whpx.h
+F: include/system/whpx.h
 Guest CPU Cores (Xen)
 ---------------------
@ -550,8 +558,8 @@ F: hw/i386/xen/
 F: hw/pci-host/xen_igd_pt.c
 F: include/hw/block/dataplane/xen*
 F: include/hw/xen/
-F: include/sysemu/xen.h
+F: include/system/xen.h
-F: include/sysemu/xen-mapcache.h
+F: include/system/xen-mapcache.h
 F: stubs/xen-hw-stub.c
 F: docs/system/arm/xenpvh.rst
 F: docs/system/i386/xenpvh.rst
@ -561,7 +569,7 @@ Guest CPU Cores (NVMM)
 NetBSD Virtual Machine Monitor (NVMM) CPU support
 M: Reinoud Zandijk <reinoud@netbsd.org>
 S: Maintained
-F: include/sysemu/nvmm.h
+F: include/system/nvmm.h
 F: target/i386/nvmm/
 Hosts
@ -579,7 +587,7 @@ POSIX
 M: Paolo Bonzini <pbonzini@redhat.com>
 S: Maintained
 F: os-posix.c
-F: include/sysemu/os-posix.h
+F: include/system/os-posix.h
 F: util/*posix*.c
 F: include/qemu/*posix*.h
@ -633,6 +641,7 @@ F: include/hw/*/allwinner*
 F: hw/arm/cubieboard.c
 F: docs/system/arm/cubieboard.rst
 F: hw/misc/axp209.c
 F: tests/functional/test_arm_cubieboard.py
 Allwinner-h3
 M: Niek Linnenbank <nieklinnenbank@gmail.com>
@ -720,6 +729,7 @@ S: Odd Fixes
 F: hw/*/exynos*
 F: include/hw/*/exynos*
 F: docs/system/arm/exynos.rst
 F: tests/functional/test_arm_smdkc210.py
 Calxeda Highbank
 M: Rob Herring <robh@kernel.org>
@ -777,7 +787,7 @@ F: docs/system/arm/kzm.rst
 Integrator CP
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
-S: Maintained
+S: Odd Fixes
 F: hw/arm/integratorcp.c
 F: hw/misc/arm_integrator_debug.c
 F: include/hw/misc/arm_integrator_debug.h
@ -810,6 +820,21 @@ F: hw/pci-host/designware.c
 F: include/hw/pci-host/designware.h
 F: docs/system/arm/mcimx7d-sabre.rst
 MCIMX8MP-EVK / i.MX8MP
 M: Bernhard Beschow <shentey@gmail.com>
 L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/imx8mp-evk.c
 F: hw/arm/fsl-imx8mp.c
 F: hw/misc/imx8mp_*.c
 F: hw/pci-host/fsl_imx8m_phy.c
 F: hw/rtc/rs5c372.c
 F: include/hw/arm/fsl-imx8mp.h
 F: include/hw/misc/imx8mp_*.h
 F: include/hw/pci-host/fsl_imx8m_phy.h
 F: docs/system/arm/imx8mp-evk.rst
 F: tests/qtest/rs5c372-test.c
 MPS2 / MPS3
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
@ -843,7 +868,7 @@ F: docs/system/arm/mps2.rst
 Musca
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
-S: Maintained
+S: Odd Fixes
 F: hw/arm/musca.c
 F: docs/system/arm/musca.rst
@ -868,8 +893,10 @@ F: include/hw/*/npcm*
 F: tests/qtest/npcm*
 F: tests/qtest/adm1266-test.c
 F: pc-bios/npcm7xx_bootrom.bin
 F: pc-bios/npcm8xx_bootrom.bin
 F: roms/vbootrom
 F: docs/system/arm/nuvoton.rst
 F: tests/functional/test_arm_quanta_gsj.py
 Raspberry Pi
 M: Peter Maydell <peter.maydell@linaro.org>
@ -889,7 +916,7 @@ F: tests/functional/test_aarch64_raspi4.py
 Real View
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
-S: Maintained
+S: Odd Fixes
 F: hw/arm/realview*
 F: hw/cpu/realview_mpcore.c
 F: hw/intc/realview_gic.c
@ -915,8 +942,7 @@ F: include/hw/ssi/imx_spi.h
 SBSA-REF
 M: Radoslaw Biernacki <rad@semihalf.com>
 M: Peter Maydell <peter.maydell@linaro.org>
-R: Leif Lindholm <quic_llindhol@quicinc.com>
+R: Leif Lindholm <leif.lindholm@oss.qualcomm.com>
 R: Marcin Juszkiewicz <marcin.juszkiewicz@linaro.org>
 L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/sbsa-ref.c
@ -940,7 +966,7 @@ F: tests/functional/test_arm_collie.py
 Stellaris
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
-S: Maintained
+S: Odd Fixes
 F: hw/*/stellaris*
 F: hw/display/ssd03*
 F: include/hw/input/gamepad.h
@ -970,7 +996,7 @@ F: docs/system/arm/stm32.rst
 Versatile Express
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
-S: Maintained
+S: Odd Fixes
 F: hw/arm/vexpress.c
 F: hw/display/sii9022.c
 F: docs/system/arm/vexpress.rst
@ -979,7 +1005,7 @@ F: tests/functional/test_arm_vexpress.py
 Versatile PB
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
-S: Maintained
+S: Odd Fixes
 F: hw/*/versatile*
 F: hw/i2c/arm_sbcon_i2c.c
 F: include/hw/i2c/arm_sbcon_i2c.h
@ -993,7 +1019,7 @@ S: Maintained
 F: hw/arm/virt*
 F: include/hw/arm/virt.h
 F: docs/system/arm/virt.rst
-F: tests/functional/test_aarch64_virt.py
+F: tests/functional/test_aarch64_virt*.py
 F: tests/functional/test_aarch64_tuxrun.py
 F: tests/functional/test_arm_tuxrun.py
@ -1025,6 +1051,7 @@ F: hw/display/dpcd.c
 F: include/hw/display/dpcd.h
 F: docs/system/arm/xlnx-versal-virt.rst
 F: docs/system/arm/xlnx-zcu102.rst
 F: tests/functional/test_aarch64_xlnx_versal.py
 Xilinx Versal OSPI
 M: Francisco Iglesias <francisco.iglesias@amd.com>
@ -1115,6 +1142,7 @@ L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/msf2-som.c
 F: docs/system/arm/emcraft-sf2.rst
 F: tests/functional/test_arm_emcraft_sf2.py
 ASPEED BMCs
 M: Cédric Le Goater <clg@kaod.org>
@ -1146,6 +1174,7 @@ F: hw/*/microbit*.c
 F: include/hw/*/nrf51*.h
 F: include/hw/*/microbit*.h
 F: tests/qtest/microbit-test.c
 F: tests/functional/test_arm_microbit.py
 F: docs/system/arm/nrf.rst
 ARM PL011 Rust device
@ -1177,9 +1206,10 @@ HP-PARISC Machines
 ------------------
 HP B160L, HP C3700
 M: Richard Henderson <richard.henderson@linaro.org>
-R: Helge Deller <deller@gmx.de>
+M: Helge Deller <deller@gmx.de>
-S: Odd Fixes
+S: Maintained
 F: configs/devices/hppa-softmmu/default.mak
 F: hw/char/diva-gsp.c
 F: hw/display/artist.c
 F: hw/hppa/
 F: hw/input/lasips2.c
@ -1194,6 +1224,7 @@ F: include/hw/pci-host/astro.h
 F: include/hw/pci-host/dino.h
 F: pc-bios/hppa-firmware.img
 F: roms/seabios-hppa/
 F: tests/functional/test_hppa_seabios.py
 LoongArch Machines
 ------------------
@ -1279,6 +1310,7 @@ F: include/hw/intc/goldfish_pic.h
 F: include/hw/intc/m68k_irqc.h
 F: include/hw/misc/virt_ctrl.h
 F: docs/specs/virt-ctlr.rst
 F: tests/functional/test_m68k_tuxrun.py
 MicroBlaze Machines
 -------------------
@ -1378,12 +1410,6 @@ F: hw/openrisc/openrisc_sim.c
 PowerPC Machines
 ----------------
 405 (ref405ep)
 L: qemu-ppc@nongnu.org
 S: Orphan
 F: hw/ppc/ppc405*
 F: tests/functional/test_ppc_405.py
 Bamboo
 L: qemu-ppc@nongnu.org
 S: Orphan
@ -1439,6 +1465,7 @@ F: include/hw/pci-host/uninorth.h
 F: include/hw/input/adb*
 F: pc-bios/qemu_vga.ndrv
 F: tests/functional/test_ppc_mac.py
 F: tests/functional/test_ppc64_mac99.py
 Old World (g3beige)
 M: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
@ -1513,6 +1540,7 @@ F: include/hw/ppc/pnv*
 F: include/hw/pci-host/pnv*
 F: include/hw/ssi/pnv_spi*
 F: pc-bios/skiboot.lid
 F: pc-bios/pnv-pnor.bin
 F: tests/qtest/pnv*
 F: tests/functional/test_ppc64_powernv.py
@ -1545,6 +1573,7 @@ F: pc-bios/canyonlands.dt[sb]
 F: pc-bios/u-boot-sam460ex-20100605.bin
 F: roms/u-boot-sam460ex
 F: docs/system/ppc/amigang.rst
 F: tests/functional/test_ppc_sam460ex.py
 pegasos2
 M: BALATON Zoltan <balaton@eik.bme.hu>
@ -1586,7 +1615,6 @@ F: include/hw/riscv/opentitan.h
 F: include/hw/*/ibex_*.h
 Microchip PolarFire SoC Icicle Kit
 M: Bin Meng <bmeng.cn@gmail.com>
 L: qemu-riscv@nongnu.org
 S: Supported
 F: docs/system/riscv/microchip-icicle-kit.rst
@ -1613,7 +1641,6 @@ F: include/hw/char/shakti_uart.h
 SiFive Machines
 M: Alistair Francis <Alistair.Francis@wdc.com>
 M: Bin Meng <bmeng.cn@gmail.com>
 M: Palmer Dabbelt <palmer@dabbelt.com>
 L: qemu-riscv@nongnu.org
 S: Supported
@ -1621,6 +1648,12 @@ F: docs/system/riscv/sifive_u.rst
 F: hw/*/*sifive*.c
 F: include/hw/*/*sifive*.h
 AMD Microblaze-V Generic Board
 M: Sai Pavan Boddu <sai.pavan.boddu@amd.com>
 S: Maintained
 F: hw/riscv/microblaze-v-generic.c
 F: docs/system/riscv/microblaze-v-generic.rst
 RX Machines
 -----------
 rx-gdbsim
@ -1643,7 +1676,7 @@ F: hw/pci-host/sh_pci.c
 F: hw/timer/sh_timer.c
 F: include/hw/sh4/sh_intc.h
 F: include/hw/timer/tmu012.h
-F: tests/functional/test_sh4_r2d.py
+F: tests/functional/test_sh4*_r2d.py
 F: tests/functional/test_sh4_tuxrun.py
 SPARC Machines
@ -1861,7 +1894,7 @@ R: Yanan Wang <wangyanan55@huawei.com>
 R: Zhao Liu <zhao1.liu@intel.com>
 S: Supported
 F: hw/core/cpu-common.c
-F: hw/core/cpu-sysemu.c
+F: hw/core/cpu-system.c
 F: hw/core/machine-qmp-cmds.c
 F: hw/core/machine.c
 F: hw/core/machine-smp.c
@ -1874,7 +1907,7 @@ F: qapi/machine-target.json
 F: include/hw/boards.h
 F: include/hw/core/cpu.h
 F: include/hw/cpu/cluster.h
-F: include/sysemu/numa.h
+F: include/system/numa.h
 F: tests/functional/test_cpu_queries.py
 F: tests/functional/test_empty_cpu_model.py
 F: tests/unit/test-smp-parse.c
@ -1914,6 +1947,7 @@ F: tests/qtest/fuzz-sb16-test.c
 Xilinx CAN
 M: Francisco Iglesias <francisco.iglesias@amd.com>
 M: Vikram Garhwal <vikram.garhwal@bytedance.com>
 S: Maintained
 F: hw/net/can/xlnx-*
 F: include/hw/net/xlnx-*
@ -1970,10 +2004,11 @@ F: include/hw/hyperv/vmbus*.h
 OMAP
 M: Peter Maydell <peter.maydell@linaro.org>
 L: qemu-arm@nongnu.org
-S: Maintained
+S: Odd Fixes
 F: hw/*/omap*
 F: include/hw/arm/omap.h
 F: docs/system/arm/sx1.rst
 F: tests/functional/test_arm_sx1.py
 IPack
 M: Alberto Garcia <berto@igalia.com>
@ -2150,10 +2185,17 @@ M: Cédric Le Goater <clg@redhat.com>
 S: Supported
 F: hw/vfio/*
 F: include/hw/vfio/
 F: docs/igd-assign.txt
 F: docs/devel/migration/vfio.rst
 F: qapi/vfio.json
 vfio-igd
 M: Alex Williamson <alex.williamson@redhat.com>
 M: Cédric Le Goater <clg@redhat.com>
 M: Tomita Moeko <tomitamoeko@gmail.com>
 S: Supported
 F: hw/vfio/igd.c
 F: docs/igd-assign.txt
 vfio-ccw
 M: Eric Farman <farman@linux.ibm.com>
 M: Matthew Rosato <mjrosato@linux.ibm.com>
@ -2183,9 +2225,9 @@ M: Eric Auger <eric.auger@redhat.com>
 M: Zhenzhong Duan <zhenzhong.duan@intel.com>
 S: Supported
 F: backends/iommufd.c
-F: include/sysemu/iommufd.h
+F: include/system/iommufd.h
 F: backends/host_iommu_device.c
-F: include/sysemu/host_iommu_device.h
+F: include/system/host_iommu_device.h
 F: include/qemu/chardev_open.h
 F: util/chardev_open.c
 F: docs/devel/vfio-iommufd.rst
@ -2195,12 +2237,16 @@ M: Michael S. Tsirkin <mst@redhat.com>
 R: Stefano Garzarella <sgarzare@redhat.com>
 S: Supported
 F: hw/*/*vhost*
-F: docs/interop/vhost-user.json
+F: docs/interop/vhost-user*
-F: docs/interop/vhost-user.rst
+F: docs/system/devices/vhost-user*
 F: contrib/vhost-user-*/
-F: backends/vhost-user.c
+F: backends/*vhost*
-F: include/sysemu/vhost-user-backend.h
+F: include/system/vhost-user-backend.h
 F: include/hw/virtio/vhost*
 F: include/*/vhost*
 F: subprojects/libvhost-user/
 F: block/export/vhost-user*
 F: util/vhost-user-server.c
 vhost-shadow-virtqueue
 R: Eugenio Pérez <eperezma@redhat.com>
@ -2227,12 +2273,13 @@ F: docs/interop/virtio-balloon-stats.rst
 F: hw/virtio/virtio-balloon*.c
 F: include/hw/virtio/virtio-balloon.h
 F: system/balloon.c
-F: include/sysemu/balloon.h
+F: include/system/balloon.h
 F: tests/qtest/virtio-balloon-test.c
 F: tests/functional/test_virtio_balloon.py
 virtio-9p
 M: Greg Kurz <groug@kaod.org>
 M: Christian Schoenebeck <qemu_oss@crudebyte.com>
 R: Greg Kurz <groug@kaod.org>
 S: Maintained
 W: https://wiki.qemu.org/Documentation/9p
 F: hw/9pfs/
@ -2240,7 +2287,6 @@ X: hw/9pfs/xen-9p*
 F: fsdev/
 F: tests/qtest/virtio-9p-test.c
 F: tests/qtest/libqos/virtio-9p*
 T: git https://gitlab.com/gkurz/qemu.git 9p-next
 T: git https://github.com/cschoenebeck/qemu.git 9p.next
 virtio-blk
@ -2252,6 +2298,7 @@ F: hw/block/virtio-blk.c
 F: hw/block/dataplane/*
 F: include/hw/virtio/virtio-blk-common.h
 F: tests/qtest/virtio-blk-test.c
 F: tests/functional/test_x86_64_hotplug_blk.py
 T: git https://github.com/stefanha/qemu.git block
 virtio-ccw
@ -2309,7 +2356,7 @@ R: Amit Shah <amit@kernel.org>
 S: Supported
 F: hw/virtio/virtio-rng.c
 F: include/hw/virtio/virtio-rng.h
-F: include/sysemu/rng*.h
+F: include/system/rng*.h
 F: backends/rng*.c
 F: tests/qtest/virtio-rng-test.c
@ -2370,6 +2417,9 @@ F: include/hw/virtio/virtio-crypto.h
 virtio based memory device
 M: David Hildenbrand <david@redhat.com>
 S: Supported
 F: hw/s390x/virtio-ccw-md.c
 F: hw/s390x/virtio-ccw-md.h
 F: hw/s390x/virtio-ccw-md-stubs.c
 F: hw/virtio/virtio-md-pci.c
 F: include/hw/virtio/virtio-md-pci.h
 F: stubs/virtio-md-pci.c
@ -2381,6 +2431,8 @@ W: https://virtio-mem.gitlab.io/
 F: hw/virtio/virtio-mem.c
 F: hw/virtio/virtio-mem-pci.h
 F: hw/virtio/virtio-mem-pci.c
 F: hw/s390x/virtio-ccw-mem.c
 F: hw/s390x/virtio-ccw-mem.h
 F: include/hw/virtio/virtio-mem.h
 virtio-snd
@ -2493,8 +2545,7 @@ F: hw/i2c/i2c_mux_pca954x.c
 F: include/hw/i2c/i2c_mux_pca954x.h
 pcf8574
-M: Dmitrii Sharikhin <d.sharikhin@yadro.com>
+S: Orphaned
 S: Maintained
 F: hw/gpio/pcf8574.c
 F: include/gpio/pcf8574.h
@ -2511,7 +2562,7 @@ M: Alex Bennée <alex.bennee@linaro.org>
 S: Maintained
 F: hw/core/guest-loader.c
 F: docs/system/guest-loader.rst
-F: tests/avocado/boot_xen.py
+F: tests/functional/test_aarch64_xen.py
 Intel Hexadecimal Object File Loader
 M: Su Hang <suhang16@mails.ucas.ac.cn>
@ -2577,6 +2628,7 @@ F: hw/display/virtio-gpu*
 F: hw/display/virtio-vga.*
 F: include/hw/virtio/virtio-gpu.h
 F: docs/system/devices/virtio-gpu.rst
 F: tests/functional/test_aarch64_virt_gpu.py
 vhost-user-blk
 M: Raphael Norwitz <raphael@enfabrica.net>
@ -2612,6 +2664,11 @@ F: hw/display/edid*
 F: include/hw/display/edid.h
 F: qemu-edid.c
 macOS PV Graphics (apple-gfx)
 M: Phil Dennis-Jordan <phil@philjordan.eu>
 S: Maintained
 F: hw/display/apple-gfx*
 PIIX4 South Bridge (i82371AB)
 M: Hervé Poussineau <hpoussin@reactos.org>
 M: Philippe Mathieu-Daudé <philmd@linaro.org>
@ -2673,6 +2730,7 @@ F: include/hw/rx/
 CAN bus subsystem and hardware
 M: Pavel Pisa <pisa@cmp.felk.cvut.cz>
 M: Francisco Iglesias <francisco.iglesias@amd.com>
 M: Vikram Garhwal <vikram.garhwal@bytedance.com>
 S: Maintained
 W: https://canbus.pages.fel.cvut.cz/
 F: net/can/*
@ -2758,6 +2816,27 @@ F: hw/hyperv/hv-balloon*.h
 F: include/hw/hyperv/dynmem-proto.h
 F: include/hw/hyperv/hv-balloon.h
 ivshmem-flat
 M: Gustavo Romero <gustavo.romero@linaro.org>
 S: Maintained
 F: hw/misc/ivshmem-flat.c
 F: include/hw/misc/ivshmem-flat.h
 F: docs/system/devices/ivshmem-flat.rst
 UEFI variable service
 M: Gerd Hoffmann <kraxel@redhat.com>
 S: Maintained
 F: hw/uefi/
 F: include/hw/uefi/
 VMapple
 M: Alexander Graf <agraf@csgraf.de>
 M: Phil Dennis-Jordan <phil@philjordan.eu>
 S: Maintained
 F: hw/vmapple/*
 F: include/hw/vmapple/*
 F: docs/system/arm/vmapple.rst
 Subsystems
 ----------
 Overall Audio backends
@ -2766,7 +2845,7 @@ M: Marc-André Lureau <marcandre.lureau@redhat.com>
 S: Odd Fixes
 F: audio/
 X: audio/alsaaudio.c
-X: audio/coreaudio.c
+X: audio/coreaudio.m
 X: audio/dsound*
 X: audio/jackaudio.c
 X: audio/ossaudio.c
@ -2788,7 +2867,7 @@ M: Philippe Mathieu-Daudé <philmd@linaro.org>
 R: Christian Schoenebeck <qemu_oss@crudebyte.com>
 R: Akihiko Odaki <akihiko.odaki@daynix.com>
 S: Odd Fixes
-F: audio/coreaudio.c
+F: audio/coreaudio.m
 DSound Audio backend
 M: Gerd Hoffmann <kraxel@redhat.com>
@ -2834,7 +2913,7 @@ F: hw/block/
 F: qapi/block*.json
 F: qapi/transaction.json
 F: include/block/
-F: include/sysemu/block-*.h
+F: include/system/block-*.h
 F: qemu-img*
 F: docs/tools/qemu-img.rst
 F: qemu-io*
@ -2973,21 +3052,23 @@ M: Alistair Francis <alistair.francis@wdc.com>
 R: David Gibson <david@gibson.dropbear.id.au>
 S: Maintained
 F: system/device_tree.c
-F: include/sysemu/device_tree.h
+F: include/system/device_tree.h
 Dump
 S: Supported
 M: Marc-André Lureau <marcandre.lureau@redhat.com>
 R: Ani Sinha <anisinha@redhat.com>
 F: dump/
 F: hw/misc/vmcoreinfo.c
 F: include/hw/misc/vmcoreinfo.h
 F: include/qemu/win_dump_defs
-F: include/sysemu/dump-arch.h
+F: include/system/dump-arch.h
-F: include/sysemu/dump.h
+F: include/system/dump.h
 F: qapi/dump.json
 F: scripts/dump-guest-memory.py
 F: stubs/dump.c
 F: docs/specs/vmcoreinfo.rst
 F: tests/qtest/vmcoreinfo-test.c
 Error reporting
 M: Markus Armbruster <armbru@redhat.com>
@ -3029,7 +3110,7 @@ F: include/exec/memop.h
 F: include/exec/memory.h
 F: include/exec/ram_addr.h
 F: include/exec/ramblock.h
-F: include/sysemu/memory_mapping.h
+F: include/system/memory_mapping.h
 F: system/dma-helpers.c
 F: system/ioport.c
 F: system/memory.c
@ -3082,8 +3163,8 @@ Main loop
 M: Paolo Bonzini <pbonzini@redhat.com>
 S: Maintained
 F: include/qemu/main-loop.h
-F: include/sysemu/runstate.h
+F: include/system/runstate.h
-F: include/sysemu/runstate-action.h
+F: include/system/runstate-action.h
 F: util/main-loop.c
 F: util/qemu-timer*.c
 F: system/vl.c
@ -3146,7 +3227,7 @@ M: David Hildenbrand <david@redhat.com>
 M: Igor Mammedov <imammedo@redhat.com>
 S: Maintained
 F: backends/hostmem*.c
-F: include/sysemu/hostmem.h
+F: include/system/hostmem.h
 F: docs/system/vm-templating.rst
 T: git https://gitlab.com/ehabkost/qemu.git machine-next
@ -3154,7 +3235,7 @@ Cryptodev Backends
 M: Gonglei <arei.gonglei@huawei.com>
 M: zhenwei pi <pizhenwei@bytedance.com>
 S: Maintained
-F: include/sysemu/cryptodev*.h
+F: include/system/cryptodev*.h
 F: backends/cryptodev*.c
 F: qapi/cryptodev.json
@ -3192,8 +3273,6 @@ S: Supported
 F: qapi/
 X: qapi/*.json
 F: include/qapi/
 X: include/qapi/qmp/
 F: include/qapi/qmp/dispatch.h
 F: tests/qapi-schema/
 F: tests/unit/test-*-visitor.c
 F: tests/unit/test-qapi-*.c
@ -3217,8 +3296,7 @@ QObject
 M: Markus Armbruster <armbru@redhat.com>
 S: Supported
 F: qobject/
-F: include/qapi/qmp/
+F: include/qobject/
 X: include/qapi/qmp/dispatch.h
 F: scripts/coccinelle/qobject.cocci
 F: tests/unit/check-qdict.c
 F: tests/unit/check-qjson.c
@ -3303,7 +3381,7 @@ M: Laurent Vivier <lvivier@redhat.com>
 R: Paolo Bonzini <pbonzini@redhat.com>
 S: Maintained
 F: system/qtest.c
-F: include/sysemu/qtest.h
+F: include/system/qtest.h
 F: accel/qtest/
 F: tests/qtest/
 F: docs/devel/qgraph.rst
@ -3343,6 +3421,7 @@ F: rust/rustfmt.toml
 Rust-related patches CC here
 L: qemu-rust@nongnu.org
 F: tests/docker/test-rust
 F: rust/
 SLIRP
@ -3354,7 +3433,7 @@ T: git https://people.debian.org/~sthibault/qemu.git slirp
 Stats
 S: Orphan
-F: include/sysemu/stats.h
+F: include/system/stats.h
 F: stats/
 F: qapi/stats.json
@ -3395,7 +3474,7 @@ S: Maintained
 F: system/tpm*
 F: hw/tpm/*
 F: include/hw/acpi/tpm.h
-F: include/sysemu/tpm*
+F: include/system/tpm*
 F: qapi/tpm.json
 F: backends/tpm/
 F: tests/qtest/*tpm*
@ -3406,7 +3485,7 @@ SPDM
 M: Alistair Francis <alistair.francis@wdc.com>
 S: Maintained
 F: backends/spdm-socket.c
-F: include/sysemu/spdm-socket.h
+F: include/system/spdm-socket.h
 Checkpatch
 S: Odd Fixes
@ -3422,11 +3501,13 @@ F: include/migration/
 F: include/qemu/userfaultfd.h
 F: migration/
 F: scripts/vmstate-static-checker.py
 F: tests/functional/test_migration.py
 F: tests/vmstate-static-checker-data/
 F: tests/qtest/migration/
 F: tests/qtest/migration-*
 F: docs/devel/migration/
 F: qapi/migration.json
-F: tests/migration/
+F: tests/migration-stress/
 F: util/userfaultfd.c
 X: migration/rdma*
@ -3440,10 +3521,10 @@ Migration dirty limit and dirty page rate
 M: Hyman Huang <yong.huang@smartx.com>
 S: Maintained
 F: system/dirtylimit.c
-F: include/sysemu/dirtylimit.h
+F: include/system/dirtylimit.h
 F: migration/dirtyrate.c
 F: migration/dirtyrate.h
-F: include/sysemu/dirtyrate.h
+F: include/system/dirtyrate.h
 F: docs/devel/migration/dirty-limit.rst
 Detached LUKS header
@ -3471,7 +3552,7 @@ Seccomp
 M: Daniel P. Berrange <berrange@redhat.com>
 S: Odd Fixes
 F: system/qemu-seccomp.c
-F: include/sysemu/seccomp.h
+F: include/system/seccomp.h
 F: tests/unit/test-seccomp.c
 Cryptography
@ -3576,21 +3657,22 @@ F: net/filter-mirror.c
 F: tests/qtest/test-filter*
 Record/replay
 M: Pavel Dovgalyuk <pavel.dovgaluk@ispras.ru>
 R: Paolo Bonzini <pbonzini@redhat.com>
 R: Alex Bennée <alex.bennee@linaro.org>
 W: https://wiki.qemu.org/Features/record-replay
-S: Supported
+S: Odd Fixes
 F: replay/*
 F: block/blkreplay.c
 F: net/filter-replay.c
 F: include/exec/replay-core.h
-F: include/sysemu/replay.h
+F: include/system/replay.h
 F: docs/devel/replay.rst
 F: docs/system/replay.rst
 F: stubs/replay.c
 F: tests/avocado/replay_kernel.py
 F: tests/avocado/replay_linux.py
 F: tests/avocado/reverse_debugging.py
 F: tests/functional/*replay*.py
 F: qapi/replay.json
 IOVA Tree
@ -3674,13 +3756,15 @@ S: Supported
 F: hw/i386/intel_iommu.c
 F: hw/i386/intel_iommu_internal.h
 F: include/hw/i386/intel_iommu.h
 F: tests/functional/test_intel_iommu.py
 F: tests/qtest/intel-iommu-test.c
 AMD-Vi Emulation
 S: Orphan
 F: hw/i386/amd_iommu.?
 OpenSBI Firmware
-M: Bin Meng <bmeng.cn@gmail.com>
+L: qemu-riscv@nongnu.org
 S: Supported
 F: pc-bios/opensbi-*
 F: .gitlab-ci.d/opensbi.yml
@ -3702,7 +3786,7 @@ M: Peter Maydell <peter.maydell@linaro.org>
 S: Maintained
 F: include/hw/resettable.h
 F: include/hw/core/resetcontainer.h
-F: include/sysemu/reset.h
+F: include/system/reset.h
 F: hw/core/reset.c
 F: hw/core/resettable.c
 F: hw/core/resetcontainer.c
@ -3713,6 +3797,7 @@ Overall usermode emulation
 M: Riku Voipio <riku.voipio@iki.fi>
 S: Maintained
 F: accel/tcg/user-exec*.c
 F: hw/core/cpu-user.c
 F: include/user/
 F: common-user/
@ -4122,7 +4207,6 @@ M: Alex Bennée <alex.bennee@linaro.org>
 T: git https://gitlab.com/stsquad/qemu testing/next
 M: Philippe Mathieu-Daudé <philmd@linaro.org>
 M: Thomas Huth <thuth@redhat.com>
 R: Wainer dos Santos Moschetta <wainersm@redhat.com>
 S: Maintained
 F: .github/workflows/lockdown.yml
 F: .gitlab-ci.yml
@ -4150,6 +4234,8 @@ W: https://cirrus-ci.com/github/qemu/qemu
 Functional testing framework
 M: Thomas Huth <thuth@redhat.com>
 R: Philippe Mathieu-Daudé <philmd@linaro.org>
 R: Daniel P. Berrange <berrange@redhat.com>
 F: docs/devel/testing/functional.rst
 F: tests/functional/qemu_test/
 Windows Hosted Continuous Integration
@ -4166,8 +4252,6 @@ F: tests/tcg/Makefile.target
 Integration Testing with the Avocado framework
 W: https://trello.com/b/6Qi1pxVn/avocado-qemu
 R: Cleber Rosa <crosa@redhat.com>
 R: Philippe Mathieu-Daudé <philmd@linaro.org>
 R: Wainer dos Santos Moschetta <wainersm@redhat.com>
 S: Odd Fixes
 F: tests/avocado/
@ -4239,6 +4323,7 @@ S: Orphan
 F: po/*.po
 Sphinx documentation configuration and build machinery
 M: John Snow <jsnow@redhat.com>
 M: Peter Maydell <peter.maydell@linaro.org>
 S: Maintained
 F: docs/conf.py
--- a/6
+++ b/6
@ -207,10 +207,10 @@ clean: recurse-clean
 VERSION = $(shell cat $(SRC_PATH)/VERSION)
-dist: qemu-$(VERSION).tar.bz2
+dist: qemu-$(VERSION).tar.xz
-qemu-%.tar.bz2:
+qemu-%.tar.xz:
-	$(SRC_PATH)/scripts/make-release "$(SRC_PATH)" "$(patsubst qemu-%.tar.bz2,%,$@)"
+	$(SRC_PATH)/scripts/make-release "$(SRC_PATH)" "$(patsubst qemu-%.tar.xz,%,$@)"
 distclean: clean recurse-distclean
 	-$(quiet-@)test -f build.ninja && $(NINJA) $(NINJAFLAGS) -t clean -g || :
--- a/2
+++ b/2
@ -1 +1 @@
-9.2.2
+10.0.0
--- a/accel/Kconfig
+++ b/accel/Kconfig
@ -16,4 +16,5 @@ config KVM
 config XEN
    bool
    select FSDEV_9P if VIRTFS
    select PCI_EXPRESS_GENERIC_BRIDGE
    select XEN_BUS
--- a/accel/accel-blocker.c
+++ b/accel/accel-blocker.c
@ -29,7 +29,7 @@
 #include "qemu/thread.h"
 #include "qemu/main-loop.h"
 #include "hw/core/cpu.h"
-#include "sysemu/accel-blocker.h"
+#include "system/accel-blocker.h"
 static QemuLockCnt accel_in_ioctl_lock;
 static QemuEvent accel_in_ioctl_event;
--- a/accel/accel-system.c
+++ b/accel/accel-system.c
@ -26,7 +26,8 @@
 #include "qemu/osdep.h"
 #include "qemu/accel.h"
 #include "hw/boards.h"
-#include "sysemu/cpus.h"
+#include "system/accel-ops.h"
 #include "system/cpus.h"
 #include "qemu/error-report.h"
 #include "accel-system.h"
--- a/accel/accel-target.c
+++ b/accel/accel-target.c
@ -27,7 +27,7 @@
 #include "qemu/accel.h"
 #include "cpu.h"
-#include "hw/core/accel-cpu.h"
+#include "accel/accel-cpu-target.h"
 #ifndef CONFIG_USER_ONLY
 #include "accel-system.h"
@ -38,6 +38,7 @@ static const TypeInfo accel_type = {
    .parent = TYPE_OBJECT,
    .class_size = sizeof(AccelClass),
    .instance_size = sizeof(AccelState),
    .abstract = true,
 };
 /* Lookup AccelClass from opt_name. Returns NULL if not found */
@ -112,22 +113,20 @@ void accel_init_interfaces(AccelClass *ac)
 void accel_cpu_instance_init(CPUState *cpu)
 {
-    CPUClass *cc = CPU_GET_CLASS(cpu);
+    if (cpu->cc->accel_cpu && cpu->cc->accel_cpu->cpu_instance_init) {
-
+        cpu->cc->accel_cpu->cpu_instance_init(cpu);
    if (cc->accel_cpu && cc->accel_cpu->cpu_instance_init) {
        cc->accel_cpu->cpu_instance_init(cpu);
    }
 }
 bool accel_cpu_common_realize(CPUState *cpu, Error **errp)
 {
    CPUClass *cc = CPU_GET_CLASS(cpu);
    AccelState *accel = current_accel();
    AccelClass *acc = ACCEL_GET_CLASS(accel);
    /* target specific realization */
-    if (cc->accel_cpu && cc->accel_cpu->cpu_target_realize
+    if (cpu->cc->accel_cpu
-        && !cc->accel_cpu->cpu_target_realize(cpu, errp)) {
+        && cpu->cc->accel_cpu->cpu_target_realize
        && !cpu->cc->accel_cpu->cpu_target_realize(cpu, errp)) {
        return false;
    }
--- a/accel/dummy-cpus.c
+++ b/accel/dummy-cpus.c
@ -13,7 +13,7 @@
 #include "qemu/osdep.h"
 #include "qemu/rcu.h"
-#include "sysemu/cpus.h"
+#include "system/cpus.h"
 #include "qemu/guest-random.h"
 #include "qemu/main-loop.h"
 #include "hw/core/cpu.h"
--- a/accel/hvf/hvf-accel-ops.c
+++ b/accel/hvf/hvf-accel-ops.c
@ -54,10 +54,11 @@
 #include "exec/exec-all.h"
 #include "gdbstub/enums.h"
 #include "hw/boards.h"
-#include "sysemu/cpus.h"
+#include "system/accel-ops.h"
-#include "sysemu/hvf.h"
+#include "system/cpus.h"
-#include "sysemu/hvf_int.h"
+#include "system/hvf.h"
-#include "sysemu/runstate.h"
+#include "system/hvf_int.h"
 #include "system/runstate.h"
 #include "qemu/guest-random.h"
 HVFState *hvf_state;
--- a/accel/hvf/hvf-all.c
+++ b/accel/hvf/hvf-all.c
@ -10,8 +10,8 @@
 #include "qemu/osdep.h"
 #include "qemu/error-report.h"
-#include "sysemu/hvf.h"
+#include "system/hvf.h"
-#include "sysemu/hvf_int.h"
+#include "system/hvf_int.h"
 const char *hvf_return_string(hv_return_t ret)
 {
--- a/accel/kvm/kvm-accel-ops.c
+++ b/accel/kvm/kvm-accel-ops.c
@ -16,10 +16,11 @@
 #include "qemu/osdep.h"
 #include "qemu/error-report.h"
 #include "qemu/main-loop.h"
-#include "sysemu/kvm.h"
+#include "system/accel-ops.h"
-#include "sysemu/kvm_int.h"
+#include "system/kvm.h"
-#include "sysemu/runstate.h"
+#include "system/kvm_int.h"
-#include "sysemu/cpus.h"
+#include "system/runstate.h"
 #include "system/cpus.h"
 #include "qemu/guest-random.h"
 #include "qapi/error.h"
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
@ -28,10 +28,10 @@
 #include "hw/pci/msix.h"
 #include "hw/s390x/adapter.h"
 #include "gdbstub/enums.h"
-#include "sysemu/kvm_int.h"
+#include "system/kvm_int.h"
-#include "sysemu/runstate.h"
+#include "system/runstate.h"
-#include "sysemu/cpus.h"
+#include "system/cpus.h"
-#include "sysemu/accel-blocker.h"
+#include "system/accel-blocker.h"
 #include "qemu/bswap.h"
 #include "exec/memory.h"
 #include "exec/ram_addr.h"
@ -42,15 +42,15 @@
 #include "qapi/visitor.h"
 #include "qapi/qapi-types-common.h"
 #include "qapi/qapi-visit-common.h"
-#include "sysemu/reset.h"
+#include "system/reset.h"
 #include "qemu/guest-random.h"
-#include "sysemu/hw_accel.h"
+#include "system/hw_accel.h"
 #include "kvm-cpus.h"
-#include "sysemu/dirtylimit.h"
+#include "system/dirtylimit.h"
 #include "qemu/range.h"
 #include "hw/boards.h"
-#include "sysemu/stats.h"
+#include "system/stats.h"
 //// --- Begin LibAFL code ---
@ -1294,7 +1294,7 @@ static void kvm_unpoison_all(void *param)
    QLIST_FOREACH_SAFE(page, &hwpoison_page_list, list, next_page) {
        QLIST_REMOVE(page, list);
-        qemu_ram_remap(page->ram_addr, TARGET_PAGE_SIZE);
+        qemu_ram_remap(page->ram_addr);
        g_free(page);
    }
 }
@ -3016,17 +3016,17 @@ int kvm_convert_memory(hwaddr start, hwaddr size, bool to_private)
    MemoryRegion *mr;
    RAMBlock *rb;
    void *addr;
-    int ret = -1;
+    int ret = -EINVAL;
    trace_kvm_convert_memory(start, size, to_private ? "shared_to_private" : "private_to_shared");
    if (!QEMU_PTR_IS_ALIGNED(start, qemu_real_host_page_size()) ||
        !QEMU_PTR_IS_ALIGNED(size, qemu_real_host_page_size())) {
-        return -1;
+        return ret;
    }
    if (!size) {
-        return -1;
+        return ret;
    }
    section = memory_region_find(get_system_memory(), start, size);
@ -3044,7 +3044,7 @@ int kvm_convert_memory(hwaddr start, hwaddr size, bool to_private)
        if (!to_private) {
            return 0;
        }
-        return -1;
+        return ret;
    }
    if (!memory_region_has_guest_memfd(mr)) {
--- a/accel/kvm/kvm-cpus.h
+++ b/accel/kvm/kvm-cpus.h
@ -10,8 +10,6 @@
 #ifndef KVM_CPUS_H
 #define KVM_CPUS_H
 #include "sysemu/cpus.h"
 int kvm_init_vcpu(CPUState *cpu, Error **errp);
 int kvm_cpu_exec(CPUState *cpu);
 void kvm_destroy_vcpu(CPUState *cpu);
--- a/accel/qtest/qtest.c
+++ b/accel/qtest/qtest.c
@ -18,8 +18,9 @@
 #include "qemu/option.h"
 #include "qemu/config-file.h"
 #include "qemu/accel.h"
-#include "sysemu/qtest.h"
+#include "system/accel-ops.h"
-#include "sysemu/cpus.h"
+#include "system/qtest.h"
 #include "system/cpus.h"
 #include "qemu/guest-random.h"
 #include "qemu/main-loop.h"
 #include "hw/core/cpu.h"
--- a/accel/stubs/kvm-stub.c
+++ b/accel/stubs/kvm-stub.c
@ -11,7 +11,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/kvm.h"
+#include "system/kvm.h"
 #include "hw/pci/msi.h"
 KVMState *kvm_state;
--- a/accel/stubs/tcg-stub.c
+++ b/accel/stubs/tcg-stub.c
@ -14,10 +14,6 @@
 #include "exec/tb-flush.h"
 #include "exec/exec-all.h"
 void tb_flush(CPUState *cpu)
 {
 }
 G_NORETURN void cpu_loop_exit(CPUState *cpu)
 {
    g_assert_not_reached();
--- a/accel/stubs/xen-stub.c
+++ b/accel/stubs/xen-stub.c
@ -6,7 +6,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/xen.h"
+#include "system/xen.h"
 #include "qapi/qapi-commands-migration.h"
 bool xen_allowed;
--- a/accel/tcg/cpu-exec-common.c
+++ b/accel/tcg/cpu-exec-common.c
@ -18,13 +18,45 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/cpus.h"
+#include "exec/log.h"
-#include "sysemu/tcg.h"
+#include "system/tcg.h"
 #include "qemu/plugin.h"
 #include "internal-common.h"
 bool tcg_allowed;
 bool tcg_cflags_has(CPUState *cpu, uint32_t flags)
 {
    return cpu->tcg_cflags & flags;
 }
 void tcg_cflags_set(CPUState *cpu, uint32_t flags)
 {
    cpu->tcg_cflags |= flags;
 }
 uint32_t curr_cflags(CPUState *cpu)
 {
    uint32_t cflags = cpu->tcg_cflags;
    /*
     * Record gdb single-step.  We should be exiting the TB by raising
     * EXCP_DEBUG, but to simplify other tests, disable chaining too.
     *
     * For singlestep and -d nochain, suppress goto_tb so that
     * we can log -d cpu,exec after every TB.
     */
    if (unlikely(cpu->singlestep_enabled)) {
        cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | CF_SINGLE_STEP | 1;
    } else if (qatomic_read(&one_insn_per_tb)) {
        cflags |= CF_NO_GOTO_TB | 1;
    } else if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
        cflags |= CF_NO_GOTO_TB;
    }
    return cflags;
 }
 /* exit the current TB, but without causing any exception to be raised */
 void cpu_loop_exit_noexc(CPUState *cpu)
 {
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@ -21,27 +21,40 @@
 #include "qemu/qemu-print.h"
 #include "qapi/error.h"
 #include "qapi/type-helpers.h"
-#include "hw/core/tcg-cpu-ops.h"
+#include "hw/core/cpu.h"
 #include "accel/tcg/cpu-ops.h"
 #include "trace.h"
 #include "disas/disas.h"
-#include "exec/exec-all.h"
+#include "exec/cpu-common.h"
 #include "exec/page-protection.h"
 #include "exec/translation-block.h"
 #include "tcg/tcg.h"
 #include "qemu/atomic.h"
 #include "qemu/rcu.h"
 #include "exec/log.h"
 #include "qemu/main-loop.h"
 #include "sysemu/cpus.h"
 #include "exec/cpu-all.h"
-#include "sysemu/cpu-timers.h"
+#include "system/cpu-timers.h"
 #include "exec/replay-core.h"
-#include "sysemu/tcg.h"
+#include "system/tcg.h"
 #include "exec/helper-proto-common.h"
 #include "tb-jmp-cache.h"
 #include "tb-hash.h"
 #include "tb-context.h"
 #include "tb-internal.h"
 #include "internal-common.h"
 #include "internal-target.h"
 //// --- Begin LibAFL code ---
 #include "libafl/defs.h"
 #include "libafl/exit.h"
 #include "libafl/tcg.h"
 #include "libafl/hooks/tcg/edge.h"
 //// --- End LibAFL code ---
 /* -icount align implementation. */
 typedef struct SyncClocks {
@ -144,38 +157,6 @@ static void init_delay_params(SyncClocks *sc, const CPUState *cpu)
 }
 #endif /* CONFIG USER ONLY */
 bool tcg_cflags_has(CPUState *cpu, uint32_t flags)
 {
    return cpu->tcg_cflags & flags;
 }
 void tcg_cflags_set(CPUState *cpu, uint32_t flags)
 {
    cpu->tcg_cflags |= flags;
 }
 uint32_t curr_cflags(CPUState *cpu)
 {
    uint32_t cflags = cpu->tcg_cflags;
    /*
     * Record gdb single-step.  We should be exiting the TB by raising
     * EXCP_DEBUG, but to simplify other tests, disable chaining too.
     *
     * For singlestep and -d nochain, suppress goto_tb so that
     * we can log -d cpu,exec after every TB.
     */
    if (unlikely(cpu->singlestep_enabled)) {
        cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | CF_SINGLE_STEP | 1;
    } else if (qatomic_read(&one_insn_per_tb)) {
        cflags |= CF_NO_GOTO_TB | 1;
    } else if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
        cflags |= CF_NO_GOTO_TB;
    }
    return cflags;
 }
 struct tb_desc {
    vaddr pc;
    uint64_t cs_base;
@ -245,7 +226,20 @@ static TranslationBlock *tb_htable_lookup(CPUState *cpu, vaddr pc,
    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
 }
-/* Might cause an exception, so have a longjmp destination ready */
+/**
 * tb_lookup:
 * @cpu: CPU that will execute the returned translation block
 * @pc: guest PC
 * @cs_base: arch-specific value associated with translation block
 * @flags: arch-specific translation block flags
 * @cflags: CF_* flags
 *
 * Look up a translation block inside the QHT using @pc, @cs_base, @flags and
 * @cflags. Uses @cpu's tb_jmp_cache. Might cause an exception, so have a
 * longjmp destination ready.
 *
 * Returns: an existing translation block or NULL.
 */
 static inline TranslationBlock *tb_lookup(CPUState *cpu, vaddr pc,
                                          uint64_t cs_base, uint32_t flags,
                                          uint32_t cflags)
@ -433,6 +427,16 @@ const void *HELPER(lookup_tb_ptr)(CPUArchState *env)
    return tb->tc.ptr;
 }
 /* Return the current PC from CPU, which may be cached in TB. */
 static vaddr log_pc(CPUState *cpu, const TranslationBlock *tb)
 {
    if (tb_cflags(tb) & CF_PCREL) {
        return cpu->cc->get_pc(cpu);
    } else {
        return tb->pc;
    }
 }
 /* Execute a TB, and fix up the CPU state afterwards if necessary */
 /*
 * Disable CFI checks.
@ -708,12 +712,6 @@ static inline void cpu_handle_debug_exception(CPUState *cpu)
    }
 }
 //// --- Begin LibAFL code ---
 #include "libafl/exit.h"
 //// --- End LibAFL code ---
 static inline bool cpu_handle_exception(CPUState *cpu, int *ret)
 {
    //// --- Begin LibAFL code ---
@ -964,14 +962,6 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
 #endif
 }
 //// --- Begin LibAFL code ---
 TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
                                  target_ulong dst_block, int exit_n, target_ulong cs_base,
                                  uint32_t flags, int cflags);
 //// --- End LibAFL code ---
 /* main execution loop */
 static int __attribute__((noinline))
@ -1130,11 +1120,13 @@ bool tcg_exec_realizefn(CPUState *cpu, Error **errp)
    if (!tcg_target_initialized) {
        /* Check mandatory TCGCPUOps handlers */
        const TCGCPUOps *tcg_ops = cpu->cc->tcg_ops;
 #ifndef CONFIG_USER_ONLY
-        assert(cpu->cc->tcg_ops->cpu_exec_halt);
+        assert(tcg_ops->cpu_exec_halt);
-        assert(cpu->cc->tcg_ops->cpu_exec_interrupt);
+        assert(tcg_ops->cpu_exec_interrupt);
 #endif /* !CONFIG_USER_ONLY */
-        cpu->cc->tcg_ops->initialize();
+        assert(tcg_ops->translate_code);
        tcg_ops->initialize();
        tcg_target_initialized = true;
    }
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@ -19,7 +19,7 @@
 #include "qemu/osdep.h"
 #include "qemu/main-loop.h"
-#include "hw/core/tcg-cpu-ops.h"
+#include "accel/tcg/cpu-ops.h"
 #include "exec/exec-all.h"
 #include "exec/page-protection.h"
 #include "exec/memory.h"
@ -37,16 +37,16 @@
 #include "exec/helper-proto-common.h"
 #include "qemu/atomic.h"
 #include "qemu/atomic128.h"
-#include "exec/translate-all.h"
+#include "tb-internal.h"
 #include "trace.h"
 #include "tb-hash.h"
 #include "tb-internal.h"
 #include "internal-common.h"
 #include "internal-target.h"
 #ifdef CONFIG_PLUGIN
 #include "qemu/plugin-memory.h"
 #endif
 #include "tcg/tcg-ldst.h"
 #include "tcg/oversized-guest.h"
 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
 /* #define DEBUG_TLB */
@ -111,26 +111,15 @@ static inline uint64_t tlb_read_idx(const CPUTLBEntry *entry,
 {
    /* Do not rearrange the CPUTLBEntry structure members. */
    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_read) !=
-                      MMU_DATA_LOAD * sizeof(uint64_t));
+                      MMU_DATA_LOAD * sizeof(uintptr_t));
    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_write) !=
-                      MMU_DATA_STORE * sizeof(uint64_t));
+                      MMU_DATA_STORE * sizeof(uintptr_t));
    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_code) !=
-                      MMU_INST_FETCH * sizeof(uint64_t));
+                      MMU_INST_FETCH * sizeof(uintptr_t));
-#if TARGET_LONG_BITS == 32
+    const uintptr_t *ptr = &entry->addr_idx[access_type];
    /* Use qatomic_read, in case of addr_write; only care about low bits. */
    const uint32_t *ptr = (uint32_t *)&entry->addr_idx[access_type];
    ptr += HOST_BIG_ENDIAN;
    return qatomic_read(ptr);
 #else
    const uint64_t *ptr = &entry->addr_idx[access_type];
 # if TCG_OVERSIZED_GUEST
    return *ptr;
 # else
    /* ofs might correspond to .addr_write, so use qatomic_read */
    return qatomic_read(ptr);
 # endif
 #endif
 }
 static inline uint64_t tlb_addr_write(const CPUTLBEntry *entry)
@ -910,16 +899,8 @@ static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry,
        addr &= TARGET_PAGE_MASK;
        addr += tlb_entry->addend;
        if ((addr - start) < length) {
 #if TARGET_LONG_BITS == 32
            uint32_t *ptr_write = (uint32_t *)&tlb_entry->addr_write;
            ptr_write += HOST_BIG_ENDIAN;
            qatomic_set(ptr_write, *ptr_write | TLB_NOTDIRTY);
 #elif TCG_OVERSIZED_GUEST
            tlb_entry->addr_write |= TLB_NOTDIRTY;
 #else
            qatomic_set(&tlb_entry->addr_write,
                        tlb_entry->addr_write | TLB_NOTDIRTY);
 #endif
        }
    }
 }
@ -1206,7 +1187,7 @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
 void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr,
                             hwaddr paddr, MemTxAttrs attrs, int prot,
-                             int mmu_idx, uint64_t size)
+                             int mmu_idx, vaddr size)
 {
    CPUTLBEntryFull full = {
        .phys_addr = paddr,
@ -1221,12 +1202,35 @@ void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr,
 void tlb_set_page(CPUState *cpu, vaddr addr,
                  hwaddr paddr, int prot,
-                  int mmu_idx, uint64_t size)
+                  int mmu_idx, vaddr size)
 {
    tlb_set_page_with_attrs(cpu, addr, paddr, MEMTXATTRS_UNSPECIFIED,
                            prot, mmu_idx, size);
 }
 /**
 * tlb_hit_page: return true if page aligned @addr is a hit against the
 * TLB entry @tlb_addr
 *
 * @addr: virtual address to test (must be page aligned)
 * @tlb_addr: TLB entry address (a CPUTLBEntry addr_read/write/code value)
 */
 static inline bool tlb_hit_page(uint64_t tlb_addr, vaddr addr)
 {
    return addr == (tlb_addr & (TARGET_PAGE_MASK | TLB_INVALID_MASK));
 }
 /**
 * tlb_hit: return true if @addr is a hit against the TLB entry @tlb_addr
 *
 * @addr: virtual address to test (need not be page aligned)
 * @tlb_addr: TLB entry address (a CPUTLBEntry addr_read/write/code value)
 */
 static inline bool tlb_hit(uint64_t tlb_addr, vaddr addr)
 {
    return tlb_hit_page(tlb_addr, addr & TARGET_PAGE_MASK);
 }
 /*
 * Note: tlb_fill_align() can trigger a resize of the TLB.
 * This means that all of the caller's prior references to the TLB table
@ -1518,7 +1522,7 @@ void *probe_access(CPUArchState *env, vaddr addr, int size,
    return host;
 }
-void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
+void *tlb_vaddr_to_host(CPUArchState *env, vaddr addr,
                        MMUAccessType access_type, int mmu_idx)
 {
    CPUTLBEntryFull *full;
--- a/accel/tcg/icount-common.c
+++ b/accel/tcg/icount-common.c
@ -27,16 +27,16 @@
 #include "migration/vmstate.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
-#include "sysemu/cpus.h"
+#include "system/cpus.h"
-#include "sysemu/qtest.h"
+#include "system/qtest.h"
 #include "qemu/main-loop.h"
 #include "qemu/option.h"
 #include "qemu/seqlock.h"
-#include "sysemu/replay.h"
+#include "system/replay.h"
-#include "sysemu/runstate.h"
+#include "system/runstate.h"
 #include "hw/core/cpu.h"
-#include "sysemu/cpu-timers.h"
+#include "system/cpu-timers.h"
-#include "sysemu/cpu-timers-internal.h"
+#include "system/cpu-timers-internal.h"
 /*
 * ICOUNT: Instruction Counter
@ -48,6 +48,8 @@ static bool icount_sleep = true;
 /* Arbitrarily pick 1MIPS as the minimum allowable speed.  */
 #define MAX_ICOUNT_SHIFT 10
 bool icount_align_option;
 /* Do not count executed instructions */
 ICountMode use_icount = ICOUNT_DISABLED;
--- a/accel/tcg/internal-common.h
+++ b/accel/tcg/internal-common.h
@ -17,6 +17,8 @@ extern int64_t max_advance;
 extern bool one_insn_per_tb;
 extern bool icount_align_option;
 /*
 * Return true if CS is not running in parallel with other cpus, either
 * because there are no other cpus or we are within an exclusive context.
@ -52,8 +54,25 @@ void tb_reset_jump(TranslationBlock *tb, int n);
 TranslationBlock *tb_link_page(TranslationBlock *tb);
 void cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
                               uintptr_t host_pc);
 int encode_search(TranslationBlock *tb, uint8_t *block);
 /**
 * tlb_init - initialize a CPU's TLB
 * @cpu: CPU whose TLB should be initialized
 */
 void tlb_init(CPUState *cpu);
 /**
 * tlb_destroy - destroy a CPU's TLB
 * @cpu: CPU whose TLB should be destroyed
 */
 void tlb_destroy(CPUState *cpu);
 bool tcg_exec_realizefn(CPUState *cpu, Error **errp);
 void tcg_exec_unrealizefn(CPUState *cpu);
 /* current cflags for hashing/comparison */
 uint32_t curr_cflags(CPUState *cpu);
 void tb_check_watchpoint(CPUState *cpu, uintptr_t retaddr);
 #endif
--- a/accel/tcg/internal-target.h
+++ b/accel/tcg/internal-target.h
@ -10,7 +10,9 @@
 #define ACCEL_TCG_INTERNAL_TARGET_H
 #include "exec/exec-all.h"
-#include "exec/translate-all.h"
+#include "exec/translation-block.h"
 #include "tb-internal.h"
 #include "tcg-target-mo.h"
 /*
 * Access to the various translations structures need to be serialised
@ -36,50 +38,9 @@ static inline void page_table_config_init(void) { }
 void page_table_config_init(void);
 #endif
-#ifdef CONFIG_USER_ONLY
+#ifndef CONFIG_USER_ONLY
 /*
 * For user-only, page_protect sets the page read-only.
 * Since most execution is already on read-only pages, and we'd need to
 * account for other TBs on the same page, defer undoing any page protection
 * until we receive the write fault.
 */
 static inline void tb_lock_page0(tb_page_addr_t p0)
 {
    page_protect(p0);
 }
 static inline void tb_lock_page1(tb_page_addr_t p0, tb_page_addr_t p1)
 {
    page_protect(p1);
 }
 static inline void tb_unlock_page1(tb_page_addr_t p0, tb_page_addr_t p1) { }
 static inline void tb_unlock_pages(TranslationBlock *tb) { }
 #else
 void tb_lock_page0(tb_page_addr_t);
 void tb_lock_page1(tb_page_addr_t, tb_page_addr_t);
 void tb_unlock_page1(tb_page_addr_t, tb_page_addr_t);
 void tb_unlock_pages(TranslationBlock *);
 #endif
 #ifdef CONFIG_SOFTMMU
 void tb_invalidate_phys_range_fast(ram_addr_t ram_addr,
                                   unsigned size,
                                   uintptr_t retaddr);
 G_NORETURN void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr);
-#endif /* CONFIG_SOFTMMU */
+#endif /* CONFIG_USER_ONLY */
 bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc);
 /* Return the current PC from CPU, which may be cached in TB. */
 static inline vaddr log_pc(CPUState *cpu, const TranslationBlock *tb)
 {
    if (tb_cflags(tb) & CF_PCREL) {
        return cpu->cc->get_pc(cpu);
    } else {
        return tb->pc;
    }
 }
 /**
 * tcg_req_mo:
--- a/accel/tcg/meson.build
+++ b/accel/tcg/meson.build
@ -1,13 +1,13 @@
 common_ss.add(when: 'CONFIG_TCG', if_true: files(
  'cpu-exec-common.c',
  'tcg-runtime.c',
  'tcg-runtime-gvec.c',
 ))
 tcg_specific_ss = ss.source_set()
 tcg_specific_ss.add(files(
  'tcg-all.c',
  'cpu-exec.c',
  'tb-maint.c',
  'tcg-runtime-gvec.c',
  'tcg-runtime.c',
  'translate-all.c',
  'translator.c',
 ))
@ -20,17 +20,14 @@ specific_ss.add_all(when: 'CONFIG_TCG', if_true: tcg_specific_ss)
 specific_ss.add(when: ['CONFIG_SYSTEM_ONLY', 'CONFIG_TCG'], if_true: files(
  'cputlb.c',
  'watchpoint.c',
 ))
 system_ss.add(when: ['CONFIG_TCG'], if_true: files(
  'icount-common.c',
  'monitor.c',
 ))
 tcg_module_ss.add(when: ['CONFIG_SYSTEM_ONLY', 'CONFIG_TCG'], if_true: files(
  'tcg-accel-ops.c',
  'tcg-accel-ops-mttcg.c',
  'tcg-accel-ops-icount.c',
  'tcg-accel-ops-mttcg.c',
  'tcg-accel-ops-rr.c',
  'watchpoint.c',
 ))
--- a/accel/tcg/monitor.c
+++ b/accel/tcg/monitor.c
@ -13,9 +13,8 @@
 #include "qapi/type-helpers.h"
 #include "qapi/qapi-commands-machine.h"
 #include "monitor/monitor.h"
-#include "sysemu/cpus.h"
+#include "system/cpu-timers.h"
-#include "sysemu/cpu-timers.h"
+#include "system/tcg.h"
 #include "sysemu/tcg.h"
 #include "tcg/tcg.h"
 #include "internal-common.h"
 #include "tb-context.h"
--- a/accel/tcg/plugin-gen.c
+++ b/accel/tcg/plugin-gen.c
@ -102,6 +102,15 @@ static void gen_disable_mem_helper(void)
 static TCGv_i32 gen_cpu_index(void)
 {
    /*
     * Optimize when we run with a single vcpu. All values using cpu_index,
     * including scoreboard index, will be optimized out.
     * User-mode calls tb_flush when setting this flag. In system-mode, all
     * vcpus are created before generating code.
     */
    if (!tcg_cflags_has(current_cpu, CF_PARALLEL)) {
        return tcg_constant_i32(current_cpu->cpu_index);
    }
    TCGv_i32 cpu_index = tcg_temp_ebb_new_i32();
    tcg_gen_ld_i32(cpu_index, tcg_env,
                   -offsetof(ArchCPU, env) + offsetof(CPUState, cpu_index));
--- a/accel/tcg/tb-hash.h
+++ b/accel/tcg/tb-hash.h
@ -22,6 +22,7 @@
 #include "exec/cpu-defs.h"
 #include "exec/exec-all.h"
 #include "exec/translation-block.h"
 #include "qemu/xxhash.h"
 #include "tb-jmp-cache.h"
--- a/accel/tcg/tb-internal.h
+++ b/accel/tcg/tb-internal.h
@ -0,0 +1,89 @@
 /*
 * TranslationBlock internal declarations (target specific)
 *
 *  Copyright (c) 2003 Fabrice Bellard
 *
 * SPDX-License-Identifier: LGPL-2.1-or-later
 */
 #ifndef ACCEL_TCG_TB_INTERNAL_TARGET_H
 #define ACCEL_TCG_TB_INTERNAL_TARGET_H
 #include "exec/cpu-all.h"
 #include "exec/exec-all.h"
 #include "exec/translation-block.h"
 /*
 * The true return address will often point to a host insn that is part of
 * the next translated guest insn.  Adjust the address backward to point to
 * the middle of the call insn.  Subtracting one would do the job except for
 * several compressed mode architectures (arm, mips) which set the low bit
 * to indicate the compressed mode; subtracting two works around that.  It
 * is also the case that there are no host isas that contain a call insn
 * smaller than 4 bytes, so we don't worry about special-casing this.
 */
 #define GETPC_ADJ   2
 #ifdef CONFIG_SOFTMMU
 #define CPU_TLB_DYN_MIN_BITS 6
 #define CPU_TLB_DYN_DEFAULT_BITS 8
 # if HOST_LONG_BITS == 32
 /* Make sure we do not require a double-word shift for the TLB load */
 #  define CPU_TLB_DYN_MAX_BITS (32 - TARGET_PAGE_BITS)
 # else /* HOST_LONG_BITS == 64 */
 /*
 * Assuming TARGET_PAGE_BITS==12, with 2**22 entries we can cover 2**(22+12) ==
 * 2**34 == 16G of address space. This is roughly what one would expect a
 * TLB to cover in a modern (as of 2018) x86_64 CPU. For instance, Intel
 * Skylake's Level-2 STLB has 16 1G entries.
 * Also, make sure we do not size the TLB past the guest's address space.
 */
 #  ifdef TARGET_PAGE_BITS_VARY
 #   define CPU_TLB_DYN_MAX_BITS                                  \
    MIN(22, TARGET_VIRT_ADDR_SPACE_BITS - TARGET_PAGE_BITS)
 #  else
 #   define CPU_TLB_DYN_MAX_BITS                                  \
    MIN_CONST(22, TARGET_VIRT_ADDR_SPACE_BITS - TARGET_PAGE_BITS)
 #  endif
 # endif
 #endif /* CONFIG_SOFTMMU */
 #ifdef CONFIG_USER_ONLY
 #include "user/page-protection.h"
 /*
 * For user-only, page_protect sets the page read-only.
 * Since most execution is already on read-only pages, and we'd need to
 * account for other TBs on the same page, defer undoing any page protection
 * until we receive the write fault.
 */
 static inline void tb_lock_page0(tb_page_addr_t p0)
 {
    page_protect(p0);
 }
 static inline void tb_lock_page1(tb_page_addr_t p0, tb_page_addr_t p1)
 {
    page_protect(p1);
 }
 static inline void tb_unlock_page1(tb_page_addr_t p0, tb_page_addr_t p1) { }
 static inline void tb_unlock_pages(TranslationBlock *tb) { }
 #else
 void tb_lock_page0(tb_page_addr_t);
 void tb_lock_page1(tb_page_addr_t, tb_page_addr_t);
 void tb_unlock_page1(tb_page_addr_t, tb_page_addr_t);
 void tb_unlock_pages(TranslationBlock *);
 #endif
 #ifdef CONFIG_SOFTMMU
 void tb_invalidate_phys_range_fast(ram_addr_t ram_addr,
                                   unsigned size,
                                   uintptr_t retaddr);
 #endif /* CONFIG_SOFTMMU */
 bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc);
 #endif
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@ -25,13 +25,17 @@
 #include "exec/exec-all.h"
 #include "exec/page-protection.h"
 #include "exec/tb-flush.h"
-#include "exec/translate-all.h"
+#include "tb-internal.h"
-#include "sysemu/tcg.h"
+#include "system/tcg.h"
 #include "tcg/tcg.h"
 #include "tb-hash.h"
 #include "tb-context.h"
 #include "tb-internal.h"
 #include "internal-common.h"
 #include "internal-target.h"
 #ifdef CONFIG_USER_ONLY
 #include "user/page-protection.h"
 #endif
 /* List iterators for lists of tagged pointers in TranslationBlock. */
--- a/accel/tcg/tcg-accel-ops-icount.c
+++ b/accel/tcg/tcg-accel-ops-icount.c
@ -24,11 +24,11 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/replay.h"
+#include "system/replay.h"
-#include "sysemu/cpu-timers.h"
+#include "system/cpu-timers.h"
 #include "qemu/main-loop.h"
 #include "qemu/guest-random.h"
-#include "exec/exec-all.h"
+#include "hw/core/cpu.h"
 #include "tcg-accel-ops.h"
 #include "tcg-accel-ops-icount.h"
--- a/accel/tcg/tcg-accel-ops-mttcg.c
+++ b/accel/tcg/tcg-accel-ops-mttcg.c
@ -24,18 +24,24 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/tcg.h"
+#include "system/tcg.h"
-#include "sysemu/replay.h"
+#include "system/replay.h"
-#include "sysemu/cpu-timers.h"
+#include "system/cpu-timers.h"
 #include "qemu/main-loop.h"
 #include "qemu/notify.h"
 #include "qemu/guest-random.h"
 #include "exec/exec-all.h"
 #include "hw/boards.h"
 #include "tcg/startup.h"
 #include "tcg-accel-ops.h"
 #include "tcg-accel-ops-mttcg.h"
 //// --- Begin LibAFL code ---
 #include "libafl/defs.h"
 //// --- End LibAFL code ---
 typedef struct MttcgForceRcuNotifier {
    Notifier notifier;
    CPUState *cpu;
@ -56,12 +62,6 @@ static void mttcg_force_rcu(Notifier *notify, void *data)
    async_run_on_cpu(cpu, do_nothing, RUN_ON_CPU_NULL);
 }
 //// --- Begin LibAFL code ---
 #include "libafl/exit.h"
 //// --- End LibAFL code ---
 /*
 * In the multi-threaded case each vCPU has its own thread. The TLS
 * variable current_cpu can be used deep in the code to find the
--- a/accel/tcg/tcg-accel-ops-rr.c
+++ b/accel/tcg/tcg-accel-ops-rr.c
@ -25,18 +25,24 @@
 #include "qemu/osdep.h"
 #include "qemu/lockable.h"
-#include "sysemu/tcg.h"
+#include "system/tcg.h"
-#include "sysemu/replay.h"
+#include "system/replay.h"
-#include "sysemu/cpu-timers.h"
+#include "system/cpu-timers.h"
 #include "qemu/main-loop.h"
 #include "qemu/notify.h"
 #include "qemu/guest-random.h"
-#include "exec/exec-all.h"
+#include "exec/cpu-common.h"
 #include "tcg/startup.h"
 #include "tcg-accel-ops.h"
 #include "tcg-accel-ops-rr.h"
 #include "tcg-accel-ops-icount.h"
 //// --- Begin LibAFL code ---
 #include "libafl/defs.h"
 //// --- End LibAFL code ---
 /* Kick all RR vCPUs */
 void rr_kick_vcpu_thread(CPUState *unused)
 {
@ -169,12 +175,6 @@ static int rr_cpu_count(void)
    return cpu_count;
 }
 //// --- Begin LibAFL code ---
 #include "libafl/exit.h"
 //// --- End LibAFL code ---
 /*
 * In the single-threaded case each vCPU is simulated in turn. If
 * there is more than a single vCPU we create a simple timer to kick
--- a/accel/tcg/tcg-accel-ops.c
+++ b/accel/tcg/tcg-accel-ops.c
@ -26,15 +26,17 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/tcg.h"
+#include "system/accel-ops.h"
-#include "sysemu/replay.h"
+#include "system/tcg.h"
-#include "sysemu/cpu-timers.h"
+#include "system/replay.h"
 #include "system/cpu-timers.h"
 #include "qemu/main-loop.h"
 #include "qemu/guest-random.h"
 #include "qemu/timer.h"
-#include "exec/exec-all.h"
+#include "exec/cputlb.h"
 #include "exec/hwaddr.h"
 #include "exec/tb-flush.h"
 #include "exec/translation-block.h"
 #include "gdbstub/enums.h"
 #include "hw/core/cpu.h"
@ -119,10 +121,9 @@ static inline int xlat_gdb_type(CPUState *cpu, int gdbtype)
        [GDB_WATCHPOINT_ACCESS] = BP_GDB | BP_MEM_ACCESS,
    };
    CPUClass *cc = CPU_GET_CLASS(cpu);
    int cputype = xlat[gdbtype];
-    if (cc->gdb_stop_before_watchpoint) {
+    if (cpu->cc->gdb_stop_before_watchpoint) {
        cputype |= BP_STOP_BEFORE_ACCESS;
    }
    return cputype;
--- a/accel/tcg/tcg-accel-ops.h
+++ b/accel/tcg/tcg-accel-ops.h
@ -12,7 +12,7 @@
 #ifndef TCG_ACCEL_OPS_H
 #define TCG_ACCEL_OPS_H
-#include "sysemu/cpus.h"
+#include "system/cpus.h"
 void tcg_cpu_destroy(CPUState *cpu);
 int tcg_cpu_exec(CPUState *cpu);
--- a/accel/tcg/tcg-all.c
+++ b/accel/tcg/tcg-all.c
@ -24,21 +24,24 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/tcg.h"
+#include "system/tcg.h"
 #include "exec/replay-core.h"
-#include "sysemu/cpu-timers.h"
+#include "system/cpu-timers.h"
 #include "tcg/startup.h"
 #include "tcg/oversized-guest.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "qemu/accel.h"
 #include "qemu/atomic.h"
 #include "qapi/qapi-builtin-visit.h"
 #include "qemu/units.h"
-#if !defined(CONFIG_USER_ONLY)
+#if defined(CONFIG_USER_ONLY)
 #include "hw/qdev-core.h"
 #else
 #include "hw/boards.h"
 #endif
 #include "internal-common.h"
 #include "cpu-param.h"
 struct TCGState {
    AccelState parent_obj;
@ -70,15 +73,14 @@ DECLARE_INSTANCE_CHECKER(TCGState, TCG_STATE,
 static bool default_mttcg_enabled(void)
 {
-
+    //// --- Begin LibAFL code ---
 //// --- Begin LibAFL code ---
    // Only the RR ops works with libafl_qemu, so avoid MTTCG by default
    return false;
-//// --- End LibAFL code ---
+    //// --- End LibAFL code ---
-    if (icount_enabled() || TCG_OVERSIZED_GUEST) {
+    if (icount_enabled()) {
        return false;
    }
 #ifdef TARGET_SUPPORTS_MTTCG
@ -132,6 +134,10 @@ static int tcg_init_machine(MachineState *ms)
    tcg_prologue_init();
 #endif
 #ifdef CONFIG_USER_ONLY
    qdev_create_fake_machine();
 #endif
    return 0;
 }
@ -147,9 +153,7 @@ static void tcg_set_thread(Object *obj, const char *value, Error **errp)
    TCGState *s = TCG_STATE(obj);
    if (strcmp(value, "multi") == 0) {
-        if (TCG_OVERSIZED_GUEST) {
+        if (icount_enabled()) {
            error_setg(errp, "No MTTCG when guest word size > hosts");
        } else if (icount_enabled()) {
            error_setg(errp, "No MTTCG when icount is enabled");
        } else {
 #ifndef TARGET_SUPPORTS_MTTCG
--- a/accel/tcg/tcg-runtime-gvec.c
+++ b/accel/tcg/tcg-runtime-gvec.c
@ -19,7 +19,6 @@
 #include "qemu/osdep.h"
 #include "qemu/host-utils.h"
 #include "cpu.h"
 #include "exec/helper-proto-common.h"
 #include "tcg/tcg-gvec-desc.h"
--- a/accel/tcg/tcg-runtime.c
+++ b/accel/tcg/tcg-runtime.c
@ -23,36 +23,14 @@
 */
 #include "qemu/osdep.h"
 #include "qemu/host-utils.h"
-#include "cpu.h"
+#include "exec/cpu-common.h"
 #include "exec/helper-proto-common.h"
-#include "exec/cpu_ldst.h"
+#include "accel/tcg/getpc.h"
 #include "exec/exec-all.h"
 #include "disas/disas.h"
 #include "exec/log.h"
 #include "tcg/tcg.h"
 #define HELPER_H  "accel/tcg/tcg-runtime.h"
 #include "exec/helper-info.c.inc"
 #undef  HELPER_H
 //// --- Begin LibAFL code ---
 #include "libafl/exit.h"
 void HELPER(libafl_qemu_handle_breakpoint)(CPUArchState *env, uint64_t pc)
 {
    CPUState* cpu = env_cpu(env);
    libafl_exit_request_breakpoint(cpu, (target_ulong) pc);
 }
 void HELPER(libafl_qemu_handle_custom_insn)(CPUArchState *env, uint64_t pc, uint32_t kind)
 {
    CPUState* cpu = env_cpu(env);
    libafl_exit_request_custom_insn(cpu, (target_ulong) pc, (enum libafl_custom_insn_kind) kind);
 }
 //// --- End LibAFL code ---
 /* 32-bit helpers */
 int32_t HELPER(div_i32)(int32_t arg1, int32_t arg2)
--- a/accel/tcg/tcg-runtime.h
+++ b/accel/tcg/tcg-runtime.h
@ -323,13 +323,3 @@ DEF_HELPER_FLAGS_4(gvec_leus32, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 DEF_HELPER_FLAGS_4(gvec_leus64, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 DEF_HELPER_FLAGS_5(gvec_bitsel, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 //// --- Begin LibAFL code ---
 DEF_HELPER_FLAGS_2(libafl_qemu_handle_breakpoint, TCG_CALL_NO_RWG,
                    void, env, i64)
 DEF_HELPER_FLAGS_3(libafl_qemu_handle_custom_insn, TCG_CALL_NO_RWG,
                    void, env, i64, i32)
 //// --- End LibAFL code ---
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@ -44,7 +44,8 @@
 #endif
 #include "exec/cputlb.h"
-#include "exec/translate-all.h"
+#include "exec/page-protection.h"
 #include "tb-internal.h"
 #include "exec/translator.h"
 #include "exec/tb-flush.h"
 #include "qemu/bitmap.h"
@ -53,14 +54,14 @@
 #include "qemu/cacheinfo.h"
 #include "qemu/timer.h"
 #include "exec/log.h"
-#include "sysemu/cpus.h"
+#include "system/cpu-timers.h"
-#include "sysemu/cpu-timers.h"
+#include "system/tcg.h"
 #include "sysemu/tcg.h"
 #include "qapi/error.h"
-#include "hw/core/tcg-cpu-ops.h"
+#include "accel/tcg/cpu-ops.h"
 #include "tb-jmp-cache.h"
 #include "tb-hash.h"
 #include "tb-context.h"
 #include "tb-internal.h"
 #include "internal-common.h"
 #include "internal-target.h"
 #include "tcg/perf.h"
@ -131,8 +132,10 @@ static int64_t decode_sleb128(const uint8_t **pp)
   line.  The seed for the first line is { tb->pc, 0..., tb->tc.ptr }.
   That is, the first column is seeded with the guest pc, the last column
   with the host pc, and the middle columns with zeros.  */
-
+/*
-static int encode_search(TranslationBlock *tb, uint8_t *block)
+static
 */
 int encode_search(TranslationBlock *tb, uint8_t *block)
 {
    uint8_t *highwater = tcg_ctx->code_gen_highwater;
    uint64_t *insn_data = tcg_ctx->gen_insn_data;
@ -281,7 +284,8 @@ static int setjmp_gen_code(CPUArchState *env, TranslationBlock *tb,
    tcg_func_start(tcg_ctx);
-    tcg_ctx->cpu = env_cpu(env);
+    CPUState *cs = env_cpu(env);
    tcg_ctx->cpu = cs;
    //// --- Begin LibAFL code ---
@ -289,73 +293,7 @@ static int setjmp_gen_code(CPUArchState *env, TranslationBlock *tb,
    //// --- End LibAFL code ---
-    gen_intermediate_code(env_cpu(env), tb, max_insns, pc, host_pc);
+    cs->cc->tcg_ops->translate_code(cs, tb, max_insns, pc, host_pc);
    assert(tb->size != 0);
    tcg_ctx->cpu = NULL;
    *max_insns = tb->icount;
    return tcg_gen_code(tcg_ctx, tb, pc);
 }
 //// --- Begin LibAFL code ---
 static target_ulong reverse_bits(target_ulong num)
 {
    unsigned int count = sizeof(num) * 8 - 1;
    target_ulong reverse_num = num;
    num >>= 1;
    while(num)
    {
       reverse_num <<= 1;
       reverse_num |= num & 1;
       num >>= 1;
       count--;
    }
    reverse_num <<= count;
    return reverse_num;
 }
 /*
 * Isolate the portion of code gen which can setjmp/longjmp.
 * Return the size of the generated code, or negative on error.
 */
 static int libafl_setjmp_gen_code(CPUArchState *env, TranslationBlock *tb,
                           vaddr pc, void *host_pc,
                           int *max_insns, int64_t *ti)
 {
    int ret = sigsetjmp(tcg_ctx->jmp_trans, 0);
    if (unlikely(ret != 0)) {
        return ret;
    }
    tcg_func_start(tcg_ctx);
    tcg_ctx->cpu = env_cpu(env);
    // -- start gen_intermediate_code
    const int num_insns = 1; // do "as-if" we were translating a single target instruction
 #ifndef TARGET_INSN_START_EXTRA_WORDS
    tcg_gen_insn_start(pc);
 #elif TARGET_INSN_START_EXTRA_WORDS == 1
    tcg_gen_insn_start(pc, 0);
 #elif TARGET_INSN_START_EXTRA_WORDS == 2
    tcg_gen_insn_start(pc, 0, 0);
 #else
 #error Unhandled TARGET_INSN_START_EXTRA_WORDS value
 #endif
    // run edge hooks
    libafl_qemu_hook_edge_run();
    tcg_gen_goto_tb(0);
    tcg_gen_exit_tb(tb, 0);
    // This is obviously wrong, but it is required that the number / size of target instruction translated
    // is at least 1. For now, we make it so that no problem occurs later on.
    tb->icount = num_insns; // number of target instructions translated in the TB.
    tb->size = num_insns; // size (in target bytes) of target instructions translated in the TB.
    // -- end gen_intermediate_code
    assert(tb->size != 0);
    tcg_ctx->cpu = NULL;
@ -363,208 +301,6 @@ static int libafl_setjmp_gen_code(CPUArchState *env, TranslationBlock *tb,
    return tcg_gen_code(tcg_ctx, tb, pc);
 }
 /* Called with mmap_lock held for user mode emulation.  */
 TranslationBlock *libafl_gen_edge(CPUState *cpu, target_ulong src_block,
                                  target_ulong dst_block, int exit_n,
                                  target_ulong cs_base, uint32_t flags,
                                  int cflags)
 {
    CPUArchState *env = cpu_env(cpu);
    TranslationBlock *tb;
    tb_page_addr_t phys_pc;
    tcg_insn_unit *gen_code_buf;
    int gen_code_size, search_size, max_insns;
    int64_t ti;
    void *host_pc;
    // edge hooks generation callbacks
    // early check if it should be skipped or not
    bool no_exec_hook = libafl_qemu_hook_edge_gen(src_block, dst_block);
    if (no_exec_hook) {
        // no exec hooks to run for edges, not point in generating a TB
        return NULL;
    }
    target_ulong pc = src_block ^ reverse_bits((target_ulong)exit_n);
    assert_memory_lock();
    qemu_thread_jit_write();
    // TODO: this (get_page_addr_code_hostp) is a bottleneck in systemmode, investigate why
    phys_pc = get_page_addr_code_hostp(env, src_block, &host_pc);
    phys_pc ^= reverse_bits((tb_page_addr_t)exit_n);
    // if (phys_pc == -1) {
    //     /* Generate a one-shot TB with 1 insn in it */
    //     cflags = (cflags & ~CF_COUNT_MASK) | 1;
    // }
    /* Generate a one-shot TB with max 16 insn in it */
    cflags = (cflags & ~CF_COUNT_MASK) | LIBAFL_MAX_INSNS;
    QEMU_BUILD_BUG_ON(LIBAFL_MAX_INSNS > TCG_MAX_INSNS);
    max_insns = cflags & CF_COUNT_MASK;
    if (max_insns == 0) {
        max_insns = TCG_MAX_INSNS;
    }
    QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS);
 buffer_overflow:
    assert_no_pages_locked();
    tb = tcg_tb_alloc(tcg_ctx);
    if (unlikely(!tb)) {
        /* flush must be done */
        tb_flush(cpu);
        mmap_unlock();
        /* Make the execution loop process the flush as soon as possible.  */
        cpu->exception_index = EXCP_INTERRUPT;
        cpu_loop_exit(cpu);
    }
    gen_code_buf = tcg_ctx->code_gen_ptr;
    tb->tc.ptr = tcg_splitwx_to_rx(gen_code_buf);
    if (!(cflags & CF_PCREL)) {
        tb->pc = pc;
    }
    tb->cs_base = cs_base;
    tb->flags = flags;
    tb->cflags = cflags | CF_IS_EDGE;
    tb_set_page_addr0(tb, phys_pc);
    tb_set_page_addr1(tb, -1);
    // if (phys_pc != -1) {
    //     tb_lock_page0(phys_pc);
    // }
    tcg_ctx->gen_tb = tb;
    tcg_ctx->addr_type = TARGET_LONG_BITS == 32 ? TCG_TYPE_I32 : TCG_TYPE_I64;
 #ifdef CONFIG_SOFTMMU
    tcg_ctx->page_bits = TARGET_PAGE_BITS;
    tcg_ctx->page_mask = TARGET_PAGE_MASK;
    tcg_ctx->tlb_dyn_max_bits = CPU_TLB_DYN_MAX_BITS;
 #endif
    tcg_ctx->insn_start_words = TARGET_INSN_START_WORDS;
 #ifdef TCG_GUEST_DEFAULT_MO
    tcg_ctx->guest_mo = TCG_GUEST_DEFAULT_MO;
 #else
    tcg_ctx->guest_mo = TCG_MO_ALL;
 #endif
 restart_translate:
    trace_translate_block(tb, pc, tb->tc.ptr);
    gen_code_size = libafl_setjmp_gen_code(env, tb, pc, host_pc, &max_insns, &ti);
    if (unlikely(gen_code_size < 0)) {
        switch (gen_code_size) {
            case -1:
                /*
                 * Overflow of code_gen_buffer, or the current slice of it.
                 *
                 * TODO: We don't need to re-do gen_intermediate_code, nor
                 * should we re-do the tcg optimization currently hidden
                 * inside tcg_gen_code.  All that should be required is to
                 * flush the TBs, allocate a new TB, re-initialize it per
                 * above, and re-do the actual code generation.
                 */
                qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT,
                              "Restarting code generation for "
                              "code_gen_buffer overflow\n");
                tb_unlock_pages(tb);
                tcg_ctx->gen_tb = NULL;
                goto buffer_overflow;
            case -2:
                assert(false && "This should never happen for edge code. There must be a bug.");
                /*
                 * The code generated for the TranslationBlock is too large.
                 * The maximum size allowed by the unwind info is 64k.
                 * There may be stricter constraints from relocations
                 * in the tcg backend.
                 *
                 * Try again with half as many insns as we attempted this time.
                 * If a single insn overflows, there's a bug somewhere...
                 */
                assert(max_insns > 1);
                max_insns /= 2;
                qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT,
                              "Restarting code generation with "
                              "smaller translation block (max %d insns)\n",
                              max_insns);
                /*
                 * The half-sized TB may not cross pages.
                 * TODO: Fix all targets that cross pages except with
                 * the first insn, at which point this can't be reached.
                 */
                // phys_p2 = tb_page_addr1(tb);
                // if (unlikely(phys_p2 != -1)) {
                //     tb_unlock_page1(phys_pc, phys_p2);
                //     tb_set_page_addr1(tb, -1);
                // }
                goto restart_translate;
            case -3:
                /*
                 * We had a page lock ordering problem.  In order to avoid
                 * deadlock we had to drop the lock on page0, which means
                 * that everything we translated so far is compromised.
                 * Restart with locks held on both pages.
                 */
                qemu_log_mask(CPU_LOG_TB_OP | CPU_LOG_TB_OP_OPT,
                              "Restarting code generation with re-locked pages");
                goto restart_translate;
            default:
                g_assert_not_reached();
        }
    }
    tcg_ctx->gen_tb = NULL;
    search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
    if (unlikely(search_size < 0)) {
        tb_unlock_pages(tb);
        goto buffer_overflow;
    }
    tb->tc.size = gen_code_size;
    /*
     * For CF_PCREL, attribute all executions of the generated code
     * to its first mapping.
     */
    perf_report_code(pc, tb, tcg_splitwx_to_rx(gen_code_buf));
    qatomic_set(&tcg_ctx->code_gen_ptr, (void *)
        ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
                 CODE_GEN_ALIGN));
    /* init jump list */
    qemu_spin_init(&tb->jmp_lock);
    tb->jmp_list_head = (uintptr_t)NULL;
    tb->jmp_list_next[0] = (uintptr_t)NULL;
    tb->jmp_list_next[1] = (uintptr_t)NULL;
    tb->jmp_dest[0] = (uintptr_t)NULL;
    tb->jmp_dest[1] = (uintptr_t)NULL;
    /* init original jump addresses which have been set during tcg_gen_code() */
    if (tb->jmp_reset_offset[0] != TB_JMP_OFFSET_INVALID) {
        tb_reset_jump(tb, 0);
    }
    if (tb->jmp_reset_offset[1] != TB_JMP_OFFSET_INVALID) {
        tb_reset_jump(tb, 1);
    }
    assert_no_pages_locked();
 #ifndef CONFIG_USER_ONLY
    tb->page_addr[0] = tb->page_addr[1] = -1;
 #endif
    return tb;
 }
 //// --- End LibAFL code ---
 /* Called with mmap_lock held for user mode emulation.  */
 TranslationBlock *tb_gen_code(CPUState *cpu,
                              vaddr pc, uint64_t cs_base,
@ -649,7 +385,7 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
            /*
             * Overflow of code_gen_buffer, or the current slice of it.
             *
-             * TODO: We don't need to re-do gen_intermediate_code, nor
+             * TODO: We don't need to re-do tcg_ops->translate_code, nor
             * should we re-do the tcg optimization currently hidden
             * inside tcg_gen_code.  All that should be required is to
             * flush the TBs, allocate a new TB, re-initialize it per
@ -820,16 +556,6 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
        tb_reset_jump(tb, 1);
    }
    /*
     * If the TB is not associated with a physical RAM page then it must be
     * a temporary one-insn TB, and we have nothing left to do. Return early
     * before attempting to link to other TBs or add to the lookup table.
     */
    if (tb_page_addr0(tb) == -1) {
        assert_no_pages_locked();
        return tb;
    }
    /*
     * Insert TB into the corresponding region tree before publishing it
     * through QHT. Otherwise rewinding happened in the TB might fail to
@ -837,6 +563,25 @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     */
    tcg_tb_insert(tb);
    /*
     * If the TB is not associated with a physical RAM page then it must be
     * a temporary one-insn TB.
     *
     * Such TBs must be added to region trees in order to make sure that
     * restore_state_to_opc() - which on some architectures is not limited to
     * rewinding, but also affects exception handling! - is called when such a
     * TB causes an exception.
     *
     * At the same time, temporary one-insn TBs must be executed at most once,
     * because subsequent reads from, e.g., I/O memory may return different
     * values. So return early before attempting to link to other TBs or add
     * to the QHT.
     */
    if (tb_page_addr0(tb) == -1) {
        assert_no_pages_locked();
        return tb;
    }
    /*
     * No explicit memory barrier is required -- tb_link_page() makes the
     * TB visible in a consistent state.
@ -911,7 +656,7 @@ void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
     * to account for the re-execution of the branch.
     */
    n = 1;
-    cc = CPU_GET_CLASS(cpu);
+    cc = cpu->cc;
    if (cc->tcg_ops->io_recompile_replay_branch &&
        cc->tcg_ops->io_recompile_replay_branch(cpu, tb)) {
        cpu->neg.icount_decr.u16.low++;
@ -922,9 +667,10 @@ void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
     * Exit the loop and potentially generate a new TB executing the
     * just the I/O insns. We also limit instrumentation to memory
     * operations only (which execute after completion) so we don't
-     * double instrument the instruction.
+     * double instrument the instruction. Also don't let an IRQ sneak
     * in before we execute it.
     */
-    cpu->cflags_next_tb = curr_cflags(cpu) | CF_MEMI_ONLY | n;
+    cpu->cflags_next_tb = curr_cflags(cpu) | CF_MEMI_ONLY | CF_NOIRQ | n;
    if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
        vaddr pc = cpu->cc->get_pc(cpu);
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@ -15,9 +15,26 @@
 #include "exec/cpu_ldst.h"
 #include "exec/plugin-gen.h"
 #include "exec/cpu_ldst.h"
 #include "exec/tswap.h"
 #include "tcg/tcg-op-common.h"
 #include "internal-target.h"
 #include "disas/disas.h"
 #include "tb-internal.h"
 //// --- Begin LibAFL code ---
 #include "libafl/exit.h"
 #include "libafl/hook.h"
 #include "libafl/hooks/tcg/instruction.h"
 #include "libafl/hooks/tcg/backdoor.h"
 #ifndef TARGET_LONG_BITS
 #error "TARGET_LONG_BITS not defined"
 #endif
 //// --- End LibAFL code ---
 static void set_can_do_io(DisasContextBase *db, bool val)
 {
@ -102,19 +119,10 @@ static void gen_tb_end(const TranslationBlock *tb, uint32_t cflags,
    }
 }
-//// --- Begin LibAFL code ---
+bool translator_is_same_page(const DisasContextBase *db, vaddr addr)
-
+{
-#include "libafl/exit.h"
+    return ((addr ^ db->pc_first) & TARGET_PAGE_MASK) == 0;
-#include "libafl/hook.h"
+}
 #include "libafl/hooks/tcg/instruction.h"
 #include "libafl/hooks/tcg/backdoor.h"
 #ifndef TARGET_LONG_BITS
 #error "TARGET_LONG_BITS not defined"
 #endif
 //// --- End LibAFL code ---
 bool translator_use_goto_tb(DisasContextBase *db, vaddr dest)
 {
@ -124,7 +132,7 @@ bool translator_use_goto_tb(DisasContextBase *db, vaddr dest)
    }
    /* Check for the dest on the same page as the start of the TB.  */
-    return ((db->pc_first ^ dest) & TARGET_PAGE_MASK) == 0;
+    return translator_is_same_page(db, dest);
 }
 void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,
--- a/accel/tcg/user-exec-stub.c
+++ b/accel/tcg/user-exec-stub.c
@ -1,6 +1,7 @@
 #include "qemu/osdep.h"
 #include "hw/core/cpu.h"
 #include "exec/replay-core.h"
 #include "internal-common.h"
 void cpu_resume(CPUState *cpu)
 {
@ -18,6 +19,16 @@ void cpu_exec_reset_hold(CPUState *cpu)
 {
 }
 /* User mode emulation does not support softmmu yet.  */
 void tlb_init(CPUState *cpu)
 {
 }
 void tlb_destroy(CPUState *cpu)
 {
 }
 /* User mode emulation does not support record/replay yet.  */
 bool replay_exception(void)
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@ -17,22 +17,27 @@
 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
 */
 #include "qemu/osdep.h"
-#include "hw/core/tcg-cpu-ops.h"
+#include "accel/tcg/cpu-ops.h"
 #include "disas/disas.h"
 #include "exec/vaddr.h"
 #include "exec/exec-all.h"
 #include "tcg/tcg.h"
 #include "qemu/bitops.h"
 #include "qemu/rcu.h"
 #include "exec/cpu_ldst.h"
 #include "user/cpu_loop.h"
 #include "qemu/main-loop.h"
-#include "exec/translate-all.h"
+#include "user/page-protection.h"
 #include "exec/page-protection.h"
 #include "exec/helper-proto.h"
 #include "qemu/atomic128.h"
 #include "qemu/bswap.h"
 #include "qemu/int128.h"
 #include "trace.h"
 #include "tcg/tcg-ldst.h"
 #include "internal-common.h"
 #include "internal-target.h"
 #include "tb-internal.h"
 __thread uintptr_t helper_retaddr;
@ -702,7 +707,7 @@ void page_protect(tb_page_addr_t address)
 * immediately exited. (We can only return 2 if the 'pc' argument is
 * non-zero.)
 */
-int page_unprotect(target_ulong address, uintptr_t pc)
+int page_unprotect(tb_page_addr_t address, uintptr_t pc)
 {
    PageFlagsNode *p;
    bool current_tb_invalidated;
@ -973,6 +978,85 @@ static void *cpu_mmu_lookup(CPUState *cpu, vaddr addr,
    return ret;
 }
 /* physical memory access (slow version, mainly for debug) */
 int cpu_memory_rw_debug(CPUState *cpu, vaddr addr,
                        void *ptr, size_t len, bool is_write)
 {
    int flags;
    vaddr l, page;
    uint8_t *buf = ptr;
    ssize_t written;
    int ret = -1;
    int fd = -1;
    mmap_lock();
    while (len > 0) {
        page = addr & TARGET_PAGE_MASK;
        l = (page + TARGET_PAGE_SIZE) - addr;
        if (l > len) {
            l = len;
        }
        flags = page_get_flags(page);
        if (!(flags & PAGE_VALID)) {
            goto out_close;
        }
        if (is_write) {
            if (flags & PAGE_WRITE) {
                memcpy(g2h(cpu, addr), buf, l);
            } else {
                /* Bypass the host page protection using ptrace. */
                if (fd == -1) {
                    fd = open("/proc/self/mem", O_WRONLY);
                    if (fd == -1) {
                        goto out;
                    }
                }
                /*
                 * If there is a TranslationBlock and we weren't bypassing the
                 * host page protection, the memcpy() above would SEGV,
                 * ultimately leading to page_unprotect(). So invalidate the
                 * translations manually. Both invalidation and pwrite() must
                 * be under mmap_lock() in order to prevent the creation of
                 * another TranslationBlock in between.
                 */
                tb_invalidate_phys_range(addr, addr + l - 1);
                written = pwrite(fd, buf, l,
                                 (off_t)(uintptr_t)g2h_untagged(addr));
                if (written != l) {
                    goto out_close;
                }
            }
        } else if (flags & PAGE_READ) {
            memcpy(buf, g2h(cpu, addr), l);
        } else {
            /* Bypass the host page protection using ptrace. */
            if (fd == -1) {
                fd = open("/proc/self/mem", O_RDONLY);
                if (fd == -1) {
                    goto out;
                }
            }
            if (pread(fd, buf, l,
                      (off_t)(uintptr_t)g2h_untagged(addr)) != l) {
                goto out_close;
            }
        }
        len -= l;
        buf += l;
        addr += l;
    }
    ret = 0;
 out_close:
    if (fd != -1) {
        close(fd);
    }
 out:
    mmap_unlock();
    return ret;
 }
 #include "ldst_atomicity.c.inc"
 static uint8_t do_ld1_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi,
--- a/accel/tcg/vcpu-state.h
+++ b/accel/tcg/vcpu-state.h
@ -1,6 +1,11 @@
 /*
- * SPDX-FileContributor: Philippe Mathieu-Daudé <philmd@linaro.org>
+ * TaskState helpers for QEMU
- * SPDX-FileCopyrightText: 2023 Linaro Ltd.
+ *
 * Copyright (c) 2023 Linaro Ltd.
 *
 * Authors:
 *   Philippe Mathieu-Daudé
 *
 * SPDX-License-Identifier: GPL-2.0-or-later
 */
 #ifndef ACCEL_TCG_VCPU_STATE_H
--- a/accel/tcg/watchpoint.c
+++ b/accel/tcg/watchpoint.c
@ -19,13 +19,15 @@
 #include "qemu/osdep.h"
 #include "qemu/main-loop.h"
-#include "qemu/error-report.h"
+#include "exec/breakpoint.h"
-#include "exec/exec-all.h"
+#include "exec/cpu-interrupt.h"
-#include "exec/translate-all.h"
+#include "exec/page-protection.h"
-#include "sysemu/tcg.h"
+#include "exec/translation-block.h"
-#include "sysemu/replay.h"
+#include "system/tcg.h"
-#include "hw/core/tcg-cpu-ops.h"
+#include "system/replay.h"
 #include "accel/tcg/cpu-ops.h"
 #include "hw/core/cpu.h"
 #include "internal-common.h"
 /*
 * Return true if this watchpoint address matches the specified
@ -66,7 +68,6 @@ int cpu_watchpoint_address_matches(CPUState *cpu, vaddr addr, vaddr len)
 void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
                          MemTxAttrs attrs, int flags, uintptr_t ra)
 {
    CPUClass *cc = CPU_GET_CLASS(cpu);
    CPUWatchpoint *wp;
    assert(tcg_enabled());
@ -82,9 +83,9 @@ void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
        return;
    }
-    if (cc->tcg_ops->adjust_watchpoint_address) {
+    if (cpu->cc->tcg_ops->adjust_watchpoint_address) {
        /* this is currently used only by ARM BE32 */
-        addr = cc->tcg_ops->adjust_watchpoint_address(cpu, addr, len);
+        addr = cpu->cc->tcg_ops->adjust_watchpoint_address(cpu, addr, len);
    }
    assert((flags & ~BP_MEM_ACCESS) == 0);
@ -116,8 +117,8 @@ void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
            wp->hitattrs = attrs;
            if (wp->flags & BP_CPU
-                && cc->tcg_ops->debug_check_watchpoint
+                && cpu->cc->tcg_ops->debug_check_watchpoint
-                && !cc->tcg_ops->debug_check_watchpoint(cpu, wp)) {
+                && !cpu->cc->tcg_ops->debug_check_watchpoint(cpu, wp)) {
                wp->flags &= ~BP_WATCHPOINT_HIT;
                continue;
            }
--- a/accel/xen/xen-all.c
+++ b/accel/xen/xen-all.c
@ -18,9 +18,10 @@
 #include "hw/xen/xen_igd.h"
 #include "chardev/char.h"
 #include "qemu/accel.h"
-#include "sysemu/cpus.h"
+#include "system/accel-ops.h"
-#include "sysemu/xen.h"
+#include "system/cpus.h"
-#include "sysemu/runstate.h"
+#include "system/xen.h"
 #include "system/runstate.h"
 #include "migration/misc.h"
 #include "migration/global_state.h"
 #include "hw/boards.h"
--- a/audio/audio-hmp-cmds.c
+++ b/audio/audio-hmp-cmds.c
@ -27,7 +27,7 @@
 #include "monitor/hmp.h"
 #include "monitor/monitor.h"
 #include "qapi/error.h"
-#include "qapi/qmp/qdict.h"
+#include "qobject/qdict.h"
 static QLIST_HEAD (capture_list_head, CaptureState) capture_head;
--- a/audio/audio.c
+++ b/audio/audio.c
@ -32,15 +32,15 @@
 #include "qapi/qobject-input-visitor.h"
 #include "qapi/qapi-visit-audio.h"
 #include "qapi/qapi-commands-audio.h"
-#include "qapi/qmp/qdict.h"
+#include "qobject/qdict.h"
 #include "qemu/cutils.h"
 #include "qemu/error-report.h"
 #include "qemu/log.h"
 #include "qemu/module.h"
 #include "qemu/help_option.h"
-#include "sysemu/sysemu.h"
+#include "system/system.h"
-#include "sysemu/replay.h"
+#include "system/replay.h"
-#include "sysemu/runstate.h"
+#include "system/runstate.h"
 #include "ui/qemu-spice.h"
 #include "trace.h"
--- a/audio/dbusaudio.c
+++ b/audio/dbusaudio.c
@ -43,9 +43,10 @@
 #define DBUS_DISPLAY1_AUDIO_PATH DBUS_DISPLAY1_ROOT "/Audio"
-#define DBUS_AUDIO_NSAMPLES 1024 /* could be configured? */
+#define DBUS_DEFAULT_AUDIO_NSAMPLES 480
 typedef struct DBusAudio {
    Audiodev *dev;
    GDBusObjectManagerServer *server;
    bool p2p;
    GDBusObjectSkeleton *audio;
@ -151,6 +152,18 @@ dbus_init_out_listener(QemuDBusDisplay1AudioOutListener *listener,
        G_DBUS_CALL_FLAGS_NONE, -1, NULL, NULL, NULL);
 }
 static guint
 dbus_audio_get_nsamples(DBusAudio *da)
 {
    AudiodevDBusOptions *opts = &da->dev->u.dbus;
    if (opts->has_nsamples && opts->nsamples) {
        return opts->nsamples;
    } else {
        return DBUS_DEFAULT_AUDIO_NSAMPLES;
    }
 }
 static int
 dbus_init_out(HWVoiceOut *hw, struct audsettings *as, void *drv_opaque)
 {
@ -160,7 +173,7 @@ dbus_init_out(HWVoiceOut *hw, struct audsettings *as, void *drv_opaque)
    QemuDBusDisplay1AudioOutListener *listener = NULL;
    audio_pcm_init_info(&hw->info, as);
-    hw->samples = DBUS_AUDIO_NSAMPLES;
+    hw->samples = dbus_audio_get_nsamples(da);
    audio_rate_start(&vo->rate);
    g_hash_table_iter_init(&iter, da->out_listeners);
@ -274,7 +287,7 @@ dbus_init_in(HWVoiceIn *hw, struct audsettings *as, void *drv_opaque)
    QemuDBusDisplay1AudioInListener *listener = NULL;
    audio_pcm_init_info(&hw->info, as);
-    hw->samples = DBUS_AUDIO_NSAMPLES;
+    hw->samples = dbus_audio_get_nsamples(da);
    audio_rate_start(&vo->rate);
    g_hash_table_iter_init(&iter, da->in_listeners);
@ -399,6 +412,7 @@ dbus_audio_init(Audiodev *dev, Error **errp)
 {
    DBusAudio *da = g_new0(DBusAudio, 1);
    da->dev = dev;
    da->out_listeners = g_hash_table_new_full(g_str_hash, g_str_equal,
                                                g_free, g_object_unref);
    da->in_listeners = g_hash_table_new_full(g_str_hash, g_str_equal,
@ -524,11 +538,17 @@ dbus_audio_register_listener(AudioState *s,
            );
    }
    GDBusConnectionFlags flags =
        G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_SERVER;
 #ifdef WIN32
    flags |= G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS;
 #endif
    listener_conn =
        g_dbus_connection_new_sync(
            G_IO_STREAM(socket_conn),
            guid,
-            G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_SERVER,
+            flags,
            NULL, NULL, &err);
    if (err) {
        error_report("Failed to setup peer connection: %s", err->message);
@ -646,6 +666,7 @@ dbus_audio_set_server(AudioState *s, GDBusObjectManagerServer *server, bool p2p)
                     "swapped-signal::handle-register-out-listener",
                     dbus_audio_register_out_listener, s,
                     NULL);
    qemu_dbus_display1_audio_set_nsamples(da->iface, dbus_audio_get_nsamples(da));
    g_dbus_object_skeleton_add_interface(G_DBUS_OBJECT_SKELETON(da->audio),
                                         G_DBUS_INTERFACE_SKELETON(da->iface));
--- a/authz/listfile.c
+++ b/authz/listfile.c
@ -28,8 +28,8 @@
 #include "qemu/filemonitor.h"
 #include "qom/object_interfaces.h"
 #include "qapi/qapi-visit-authz.h"
-#include "qapi/qmp/qjson.h"
+#include "qobject/qjson.h"
-#include "qapi/qmp/qobject.h"
+#include "qobject/qobject.h"
 #include "qapi/qobject-input-visitor.h"
--- a/backends/confidential-guest-support.c
+++ b/backends/confidential-guest-support.c
@ -13,7 +13,7 @@
 #include "qemu/osdep.h"
-#include "exec/confidential-guest-support.h"
+#include "system/confidential-guest-support.h"
 OBJECT_DEFINE_ABSTRACT_TYPE(ConfidentialGuestSupport,
                            confidential_guest_support,
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@ -22,7 +22,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/cryptodev.h"
+#include "system/cryptodev.h"
 #include "qemu/error-report.h"
 #include "qapi/error.h"
 #include "standard-headers/linux/virtio_crypto.h"
--- a/backends/cryptodev-hmp-cmds.c
+++ b/backends/cryptodev-hmp-cmds.c
@ -14,7 +14,7 @@
 #include "monitor/hmp.h"
 #include "monitor/monitor.h"
 #include "qapi/qapi-commands-cryptodev.h"
-#include "qapi/qmp/qdict.h"
+#include "qobject/qdict.h"
 void hmp_info_cryptodev(Monitor *mon, const QDict *qdict)
--- a/backends/cryptodev-lkcf.c
+++ b/backends/cryptodev-lkcf.c
@ -30,7 +30,7 @@
 #include "qemu/error-report.h"
 #include "qemu/queue.h"
 #include "qom/object.h"
-#include "sysemu/cryptodev.h"
+#include "system/cryptodev.h"
 #include "standard-headers/linux/virtio_crypto.h"
 #include <keyutils.h>
@ -330,6 +330,8 @@ static void cryptodev_lkcf_execute_task(CryptoDevLKCFTask *task)
            cryptodev_lkcf_set_op_desc(&session->akcipher_opts, op_desc,
                                       sizeof(op_desc), &local_error) != 0) {
            error_report_err(local_error);
            status = -VIRTIO_CRYPTO_ERR;
            goto out;
        } else {
            key_id = add_key(KCTL_KEY_TYPE_PKEY, "lkcf-backend-priv-key",
                             p8info, p8info_len, KCTL_KEY_RING);
@ -346,6 +348,7 @@ static void cryptodev_lkcf_execute_task(CryptoDevLKCFTask *task)
                                        session->key, session->keylen,
                                        &local_error);
        if (!akcipher) {
            error_report_err(local_error);
            status = -VIRTIO_CRYPTO_ERR;
            goto out;
        }
--- a/backends/cryptodev-vhost-user.c
+++ b/backends/cryptodev-vhost-user.c
@ -27,9 +27,9 @@
 #include "qemu/error-report.h"
 #include "hw/virtio/vhost-user.h"
 #include "standard-headers/linux/virtio_crypto.h"
-#include "sysemu/cryptodev-vhost.h"
+#include "system/cryptodev-vhost.h"
 #include "chardev/char-fe.h"
-#include "sysemu/cryptodev-vhost-user.h"
+#include "system/cryptodev-vhost-user.h"
 #include "qom/object.h"
--- a/backends/cryptodev-vhost.c
+++ b/backends/cryptodev-vhost.c
@ -24,13 +24,13 @@
 #include "qemu/osdep.h"
 #include "hw/virtio/virtio-bus.h"
-#include "sysemu/cryptodev-vhost.h"
+#include "system/cryptodev-vhost.h"
 #ifdef CONFIG_VHOST_CRYPTO
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "hw/virtio/virtio-crypto.h"
-#include "sysemu/cryptodev-vhost-user.h"
+#include "system/cryptodev-vhost-user.h"
 uint64_t
 cryptodev_vhost_get_max_queues(
@ -53,7 +53,7 @@ cryptodev_vhost_init(
    CryptoDevBackendVhost *crypto;
    Error *local_err = NULL;
-    crypto = g_new(CryptoDevBackendVhost, 1);
+    crypto = g_new0(CryptoDevBackendVhost, 1);
    crypto->dev.max_queues = 1;
    crypto->dev.nvqs = 1;
    crypto->dev.vqs = crypto->vqs;
--- a/backends/cryptodev.c
+++ b/backends/cryptodev.c
@ -22,8 +22,8 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/cryptodev.h"
+#include "system/cryptodev.h"
-#include "sysemu/stats.h"
+#include "system/stats.h"
 #include "qapi/error.h"
 #include "qapi/qapi-commands-cryptodev.h"
 #include "qapi/qapi-types-stats.h"
@ -97,7 +97,7 @@ static int qmp_query_cryptodev_foreach(Object *obj, void *data)
 QCryptodevInfoList *qmp_query_cryptodev(Error **errp)
 {
    QCryptodevInfoList *list = NULL;
-    Object *objs = container_get(object_get_root(), "/objects");
+    Object *objs = object_get_container("objects");
    object_child_foreach(objs, qmp_query_cryptodev_foreach, &list);
@ -557,7 +557,7 @@ static void cryptodev_backend_stats_cb(StatsResultList **result,
    switch (target) {
    case STATS_TARGET_CRYPTODEV:
    {
-        Object *objs = container_get(object_get_root(), "/objects");
+        Object *objs = object_get_container("objects");
        StatsArgs stats_args;
        stats_args.result.stats = result;
        stats_args.names = names;
--- a/backends/host_iommu_device.c
+++ b/backends/host_iommu_device.c
@ -10,7 +10,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/host_iommu_device.h"
+#include "system/host_iommu_device.h"
 OBJECT_DEFINE_ABSTRACT_TYPE(HostIOMMUDevice,
                            host_iommu_device,
--- a/backends/hostmem-epc.c
+++ b/backends/hostmem-epc.c
@ -14,7 +14,7 @@
 #include <sys/ioctl.h>
 #include "qom/object_interfaces.h"
 #include "qapi/error.h"
-#include "sysemu/hostmem.h"
+#include "system/hostmem.h"
 #include "hw/i386/hostmem-epc.h"
 static bool
@ -36,7 +36,7 @@ sgx_epc_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
    backend->aligned = true;
    name = object_get_canonical_path(OBJECT(backend));
-    ram_flags = (backend->share ? RAM_SHARED : 0) | RAM_PROTECTED;
+    ram_flags = (backend->share ? RAM_SHARED : RAM_PRIVATE) | RAM_PROTECTED;
    return memory_region_init_ram_from_fd(&backend->mr, OBJECT(backend), name,
                                          backend->size, ram_flags, fd, 0, errp);
 }
--- a/backends/hostmem-file.c
+++ b/backends/hostmem-file.c
@ -15,7 +15,7 @@
 #include "qemu/error-report.h"
 #include "qemu/module.h"
 #include "qemu/madvise.h"
-#include "sysemu/hostmem.h"
+#include "system/hostmem.h"
 #include "qom/object_interfaces.h"
 #include "qom/object.h"
 #include "qapi/visitor.h"
@ -82,7 +82,7 @@ file_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
    backend->aligned = true;
    name = host_memory_backend_get_name(backend);
-    ram_flags = backend->share ? RAM_SHARED : 0;
+    ram_flags = backend->share ? RAM_SHARED : RAM_PRIVATE;
    ram_flags |= fb->readonly ? RAM_READONLY_FD : 0;
    ram_flags |= fb->rom == ON_OFF_AUTO_ON ? RAM_READONLY : 0;
    ram_flags |= backend->reserve ? 0 : RAM_NORESERVE;
--- a/backends/hostmem-memfd.c
+++ b/backends/hostmem-memfd.c
@ -11,12 +11,13 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/hostmem.h"
+#include "system/hostmem.h"
 #include "qom/object_interfaces.h"
 #include "qemu/memfd.h"
 #include "qemu/module.h"
 #include "qapi/error.h"
 #include "qom/object.h"
 #include "migration/cpr.h"
 OBJECT_DECLARE_SIMPLE_TYPE(HostMemoryBackendMemfd, MEMORY_BACKEND_MEMFD)
@ -33,15 +34,19 @@ static bool
 memfd_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
 {
    HostMemoryBackendMemfd *m = MEMORY_BACKEND_MEMFD(backend);
-    g_autofree char *name = NULL;
+    g_autofree char *name = host_memory_backend_get_name(backend);
    int fd = cpr_find_fd(name, 0);
    uint32_t ram_flags;
    int fd;
    if (!backend->size) {
        error_setg(errp, "can't create backend with size 0");
        return false;
    }
    if (fd >= 0) {
        goto have_fd;
    }
    fd = qemu_memfd_create(TYPE_MEMORY_BACKEND_MEMFD, backend->size,
                           m->hugetlb, m->hugetlbsize, m->seal ?
                           F_SEAL_GROW | F_SEAL_SHRINK | F_SEAL_SEAL : 0,
@ -49,10 +54,11 @@ memfd_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
    if (fd == -1) {
        return false;
    }
    cpr_save_fd(name, 0, fd);
 have_fd:
    backend->aligned = true;
-    name = host_memory_backend_get_name(backend);
+    ram_flags = backend->share ? RAM_SHARED : RAM_PRIVATE;
    ram_flags = backend->share ? RAM_SHARED : 0;
    ram_flags |= backend->reserve ? 0 : RAM_NORESERVE;
    ram_flags |= backend->guest_memfd ? RAM_GUEST_MEMFD : 0;
    return memory_region_init_ram_from_fd(&backend->mr, OBJECT(backend), name,
--- a/backends/hostmem-ram.c
+++ b/backends/hostmem-ram.c
@ -11,7 +11,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/hostmem.h"
+#include "system/hostmem.h"
 #include "qapi/error.h"
 #include "qemu/module.h"
 #include "qom/object_interfaces.h"
@ -28,7 +28,7 @@ ram_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
    }
    name = host_memory_backend_get_name(backend);
-    ram_flags = backend->share ? RAM_SHARED : 0;
+    ram_flags = backend->share ? RAM_SHARED : RAM_PRIVATE;
    ram_flags |= backend->reserve ? 0 : RAM_NORESERVE;
    ram_flags |= backend->guest_memfd ? RAM_GUEST_MEMFD : 0;
    return memory_region_init_ram_flags_nomigrate(&backend->mr, OBJECT(backend),
--- a/backends/hostmem-shm.c
+++ b/backends/hostmem-shm.c
@ -11,8 +11,9 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/hostmem.h"
+#include "system/hostmem.h"
 #include "qapi/error.h"
 #include "migration/cpr.h"
 #define TYPE_MEMORY_BACKEND_SHM "memory-backend-shm"
@ -25,11 +26,9 @@ struct HostMemoryBackendShm {
 static bool
 shm_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
 {
-    g_autoptr(GString) shm_name = g_string_new(NULL);
+    g_autofree char *backend_name = host_memory_backend_get_name(backend);
    g_autofree char *backend_name = NULL;
    uint32_t ram_flags;
-    int fd, oflag;
+    int fd = cpr_find_fd(backend_name, 0);
    mode_t mode;
    if (!backend->size) {
        error_setg(errp, "can't create shm backend with size 0");
@ -41,48 +40,18 @@ shm_backend_memory_alloc(HostMemoryBackend *backend, Error **errp)
        return false;
    }
-    /*
+    if (fd >= 0) {
-     * Let's use `mode = 0` because we don't want other processes to open our
+        goto have_fd;
-     * memory unless we share the file descriptor with them.
+    }
     */
    mode = 0;
    oflag = O_RDWR | O_CREAT | O_EXCL;
    backend_name = host_memory_backend_get_name(backend);
-    /*
+    fd = qemu_shm_alloc(backend->size, errp);
     * Some operating systems allow creating anonymous POSIX shared memory
     * objects (e.g. FreeBSD provides the SHM_ANON constant), but this is not
     * defined by POSIX, so let's create a unique name.
     *
     * From Linux's shm_open(3) man-page:
     *   For  portable  use,  a shared  memory  object should be identified
     *   by a name of the form /somename;"
     */
    g_string_printf(shm_name, "/qemu-" FMT_pid "-shm-%s", getpid(),
                    backend_name);
    fd = shm_open(shm_name->str, oflag, mode);
    if (fd < 0) {
        error_setg_errno(errp, errno,
                         "failed to create POSIX shared memory");
        return false;
    }
    /*
     * We have the file descriptor, so we no longer need to expose the
     * POSIX shared memory object. However it will remain allocated as long as
     * there are file descriptors pointing to it.
     */
    shm_unlink(shm_name->str);
    if (ftruncate(fd, backend->size) == -1) {
        error_setg_errno(errp, errno,
                         "failed to resize POSIX shared memory to %" PRIu64,
                         backend->size);
        close(fd);
        return false;
    }
    cpr_save_fd(backend_name, 0, fd);
 have_fd:
    /* Let's do the same as memory-backend-ram,share=on would do. */
    ram_flags = RAM_SHARED;
    ram_flags |= backend->reserve ? 0 : RAM_NORESERVE;
--- a/backends/hostmem.c
+++ b/backends/hostmem.c
@ -11,7 +11,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/hostmem.h"
+#include "system/hostmem.h"
 #include "hw/boards.h"
 #include "qapi/error.h"
 #include "qapi/qapi-builtin-visit.h"
--- a/backends/iommufd.c
+++ b/backends/iommufd.c
@ -11,7 +11,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/iommufd.h"
+#include "system/iommufd.h"
 #include "qapi/error.h"
 #include "qemu/module.h"
 #include "qom/object_interfaces.h"
@ -167,8 +167,6 @@ int iommufd_backend_map_dma(IOMMUFDBackend *be, uint32_t ioas_id, hwaddr iova,
        /* TODO: Not support mapping hardware PCI BAR region for now. */
        if (errno == EFAULT) {
            warn_report("IOMMU_IOAS_MAP failed: %m, PCI BAR?");
        } else {
            error_report("IOMMU_IOAS_MAP failed: %m");
        }
    }
    return ret;
@ -203,7 +201,6 @@ int iommufd_backend_unmap_dma(IOMMUFDBackend *be, uint32_t ioas_id,
    if (ret) {
        ret = -errno;
        error_report("IOMMU_IOAS_UNMAP failed: %m");
    }
    return ret;
 }
--- a/backends/rng-builtin.c
+++ b/backends/rng-builtin.c
@ -6,11 +6,11 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/rng.h"
+#include "system/rng.h"
 #include "qemu/main-loop.h"
 #include "qemu/guest-random.h"
 #include "qom/object.h"
-#include "sysemu/replay.h"
+#include "system/replay.h"
 OBJECT_DECLARE_SIMPLE_TYPE(RngBuiltin, RNG_BUILTIN)
--- a/backends/rng-egd.c
+++ b/backends/rng-egd.c
@ -11,7 +11,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/rng.h"
+#include "system/rng.h"
 #include "chardev/char-fe.h"
 #include "qapi/error.h"
 #include "qapi/qmp/qerror.h"
--- a/backends/rng-random.c
+++ b/backends/rng-random.c
@ -11,8 +11,8 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/rng-random.h"
+#include "system/rng-random.h"
-#include "sysemu/rng.h"
+#include "system/rng.h"
 #include "qapi/error.h"
 #include "qapi/qmp/qerror.h"
 #include "qemu/main-loop.h"
--- a/backends/rng.c
+++ b/backends/rng.c
@ -11,7 +11,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/rng.h"
+#include "system/rng.h"
 #include "qapi/error.h"
 #include "qemu/module.h"
 #include "qom/object_interfaces.h"
--- a/backends/spdm-socket.c
+++ b/backends/spdm-socket.c
@ -11,7 +11,7 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/spdm-socket.h"
+#include "system/spdm-socket.h"
 #include "qapi/error.h"
 static bool read_bytes(const int socket, uint8_t *buffer,
--- a/backends/tpm/tpm_backend.c
+++ b/backends/tpm/tpm_backend.c
@ -13,9 +13,9 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/tpm_backend.h"
+#include "system/tpm_backend.h"
 #include "qapi/error.h"
-#include "sysemu/tpm.h"
+#include "system/tpm.h"
 #include "qemu/thread.h"
 #include "qemu/main-loop.h"
 #include "qemu/module.h"
--- a/backends/tpm/tpm_emulator.c
+++ b/backends/tpm/tpm_emulator.c
@ -32,9 +32,9 @@
 #include "qemu/sockets.h"
 #include "qemu/lockable.h"
 #include "io/channel-socket.h"
-#include "sysemu/runstate.h"
+#include "system/runstate.h"
-#include "sysemu/tpm_backend.h"
+#include "system/tpm_backend.h"
-#include "sysemu/tpm_util.h"
+#include "system/tpm_util.h"
 #include "tpm_int.h"
 #include "tpm_ioctl.h"
 #include "migration/blocker.h"
--- a/backends/tpm/tpm_int.h
+++ b/backends/tpm/tpm_int.h
@ -13,7 +13,7 @@
 #define BACKENDS_TPM_INT_H
 #include "qemu/option.h"
-#include "sysemu/tpm.h"
+#include "system/tpm.h"
 #define TPM_STANDARD_CMDLINE_OPTS \
    { \
--- a/backends/tpm/tpm_passthrough.c
+++ b/backends/tpm/tpm_passthrough.c
@ -26,8 +26,8 @@
 #include "qemu/error-report.h"
 #include "qemu/module.h"
 #include "qemu/sockets.h"
-#include "sysemu/tpm_backend.h"
+#include "system/tpm_backend.h"
-#include "sysemu/tpm_util.h"
+#include "system/tpm_util.h"
 #include "tpm_int.h"
 #include "qapi/clone-visitor.h"
 #include "qapi/qapi-visit-tpm.h"
--- a/backends/tpm/tpm_util.c
+++ b/backends/tpm/tpm_util.c
@ -21,13 +21,14 @@
 #include "qemu/osdep.h"
 #include "qemu/error-report.h"
 #include "qemu/cutils.h"
 #include "qapi/error.h"
 #include "qapi/visitor.h"
 #include "tpm_int.h"
 #include "exec/memory.h"
 #include "hw/qdev-properties.h"
-#include "sysemu/tpm_backend.h"
+#include "system/tpm_backend.h"
-#include "sysemu/tpm_util.h"
+#include "system/tpm_util.h"
 #include "trace.h"
 /* tpm backend property */
@ -46,7 +47,7 @@ static void get_tpm(Object *obj, Visitor *v, const char *name, void *opaque,
 static void set_tpm(Object *obj, Visitor *v, const char *name, void *opaque,
                    Error **errp)
 {
-    Property *prop = opaque;
+    const Property *prop = opaque;
    TPMBackend *s, **be = object_field_prop_ptr(obj, prop);
    char *str;
@ -66,7 +67,7 @@ static void set_tpm(Object *obj, Visitor *v, const char *name, void *opaque,
 static void release_tpm(Object *obj, const char *name, void *opaque)
 {
-    Property *prop = opaque;
+    const Property *prop = opaque;
    TPMBackend **be = object_field_prop_ptr(obj, prop);
    if (*be) {
@ -75,7 +76,7 @@ static void release_tpm(Object *obj, const char *name, void *opaque)
 }
 const PropertyInfo qdev_prop_tpm = {
-    .name  = "str",
+    .type  = "str",
    .description = "ID of a tpm to use as a backend",
    .get   = get_tpm,
    .set   = set_tpm,
@ -336,8 +337,8 @@ void tpm_sized_buffer_reset(TPMSizedBuffer *tsb)
 void tpm_util_show_buffer(const unsigned char *buffer,
                          size_t buffer_size, const char *string)
 {
-    size_t len, i;
+    g_autoptr(GString) str = NULL;
-    char *line_buffer, *p;
+    size_t len, i, l;
    if (!trace_event_get_state_backends(TRACE_TPM_UTIL_SHOW_BUFFER_CONTENT)) {
        return;
@ -345,19 +346,14 @@ void tpm_util_show_buffer(const unsigned char *buffer,
    len = MIN(tpm_cmd_get_size(buffer), buffer_size);
    trace_tpm_util_show_buffer_header(string, len);
-    /*
+    for (i = 0; i < len; i += l) {
-     * allocate enough room for 3 chars per buffer entry plus a
+        if (str) {
-     * newline after every 16 chars and a final null terminator.
+            g_string_append_c(str, '\n');
     */
    line_buffer = g_malloc(len * 3 + (len / 16) + 1);
    for (i = 0, p = line_buffer; i < len; i++) {
        if (i && !(i % 16)) {
            p += sprintf(p, "\n");
        }
-        p += sprintf(p, "%.2X ", buffer[i]);
+        l = MIN(len, 16);
        str = qemu_hexdump_line(str, buffer, l, 1, 0);
    }
    trace_tpm_util_show_buffer_content(line_buffer);
-    g_free(line_buffer);
+    g_string_ascii_up(str);
    trace_tpm_util_show_buffer_content(str->str);
 }
--- a/backends/vhost-user.c
+++ b/backends/vhost-user.c
@ -15,8 +15,8 @@
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "qom/object_interfaces.h"
-#include "sysemu/vhost-user-backend.h"
+#include "system/vhost-user-backend.h"
-#include "sysemu/kvm.h"
+#include "system/kvm.h"
 #include "io/channel-command.h"
 #include "hw/virtio/virtio-bus.h"
--- a/block.c
+++ b/block.c
@ -36,13 +36,13 @@
 #include "qemu/main-loop.h"
 #include "qemu/module.h"
 #include "qapi/error.h"
-#include "qapi/qmp/qdict.h"
+#include "qobject/qdict.h"
-#include "qapi/qmp/qjson.h"
+#include "qobject/qjson.h"
-#include "qapi/qmp/qnull.h"
+#include "qobject/qnull.h"
-#include "qapi/qmp/qstring.h"
+#include "qobject/qstring.h"
 #include "qapi/qobject-output-visitor.h"
 #include "qapi/qapi-visit-block-core.h"
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 #include "qemu/notify.h"
 #include "qemu/option.h"
 #include "qemu/coroutine.h"
@ -1573,6 +1573,10 @@ static void update_flags_from_options(int *flags, QemuOpts *opts)
    if (qemu_opt_get_bool_del(opts, BDRV_OPT_AUTO_READ_ONLY, false)) {
        *flags |= BDRV_O_AUTO_RDONLY;
    }
    if (!qemu_opt_get_bool_del(opts, BDRV_OPT_ACTIVE, true)) {
        *flags |= BDRV_O_INACTIVE;
    }
 }
 static void update_options_from_flags(QDict *options, int flags)
@ -1799,6 +1803,11 @@ QemuOptsList bdrv_runtime_opts = {
            .type = QEMU_OPT_BOOL,
            .help = "Ignore flush requests",
        },
        {
            .name = BDRV_OPT_ACTIVE,
            .type = QEMU_OPT_BOOL,
            .help = "Node is activated",
        },
        {
            .name = BDRV_OPT_READ_ONLY,
            .type = QEMU_OPT_BOOL,
@ -3077,6 +3086,13 @@ bdrv_attach_child_common(BlockDriverState *child_bs,
    assert(child_class->get_parent_desc);
    GLOBAL_STATE_CODE();
    if (bdrv_is_inactive(child_bs) && (perm & ~BLK_PERM_CONSISTENT_READ)) {
        g_autofree char *perm_names = bdrv_perm_names(perm);
        error_setg(errp, "Permission '%s' unavailable on inactive node",
                   perm_names);
        return NULL;
    }
    new_child = g_new(BdrvChild, 1);
    *new_child = (BdrvChild) {
        .bs             = NULL,
@ -3183,6 +3199,11 @@ bdrv_attach_child_noperm(BlockDriverState *parent_bs,
                   child_bs->node_name, child_name, parent_bs->node_name);
        return NULL;
    }
    if (bdrv_is_inactive(child_bs) && !bdrv_is_inactive(parent_bs)) {
        error_setg(errp, "Inactive '%s' can't be a %s child of active '%s'",
                   child_bs->node_name, child_name, parent_bs->node_name);
        return NULL;
    }
    bdrv_get_cumulative_perm(parent_bs, &perm, &shared_perm);
    bdrv_child_perm(parent_bs, child_bs, NULL, child_role, NULL,
@ -6824,6 +6845,10 @@ void bdrv_init_with_whitelist(void)
    bdrv_init();
 }
 bool bdrv_is_inactive(BlockDriverState *bs) {
    return bs->open_flags & BDRV_O_INACTIVE;
 }
 int bdrv_activate(BlockDriverState *bs, Error **errp)
 {
    BdrvChild *child, *parent;
@ -6955,7 +6980,8 @@ bdrv_has_bds_parent(BlockDriverState *bs, bool only_active)
    return false;
 }
-static int GRAPH_RDLOCK bdrv_inactivate_recurse(BlockDriverState *bs)
+static int GRAPH_RDLOCK
 bdrv_inactivate_recurse(BlockDriverState *bs, bool top_level)
 {
    BdrvChild *child, *parent;
    int ret;
@ -6973,7 +6999,14 @@ static int GRAPH_RDLOCK bdrv_inactivate_recurse(BlockDriverState *bs)
        return 0;
    }
-    assert(!(bs->open_flags & BDRV_O_INACTIVE));
+    /*
     * Inactivating an already inactive node on user request is harmless, but if
     * a child is already inactive before its parent, that's bad.
     */
    if (bs->open_flags & BDRV_O_INACTIVE) {
        assert(top_level);
        return 0;
    }
    /* Inactivate this node */
    if (bs->drv->bdrv_inactivate) {
@ -6999,7 +7032,9 @@ static int GRAPH_RDLOCK bdrv_inactivate_recurse(BlockDriverState *bs)
        return -EPERM;
    }
    bdrv_drained_begin(bs);
    bs->open_flags |= BDRV_O_INACTIVE;
    bdrv_drained_end(bs);
    /*
     * Update permissions, they may differ for inactive nodes.
@ -7010,7 +7045,7 @@ static int GRAPH_RDLOCK bdrv_inactivate_recurse(BlockDriverState *bs)
    /* Recursively inactivate children */
    QLIST_FOREACH(child, &bs->children, next) {
-        ret = bdrv_inactivate_recurse(child->bs);
+        ret = bdrv_inactivate_recurse(child->bs, false);
        if (ret < 0) {
            return ret;
        }
@ -7019,6 +7054,27 @@ static int GRAPH_RDLOCK bdrv_inactivate_recurse(BlockDriverState *bs)
    return 0;
 }
 int bdrv_inactivate(BlockDriverState *bs, Error **errp)
 {
    int ret;
    GLOBAL_STATE_CODE();
    GRAPH_RDLOCK_GUARD_MAINLOOP();
    if (bdrv_has_bds_parent(bs, true)) {
        error_setg(errp, "Node has active parent node");
        return -EPERM;
    }
    ret = bdrv_inactivate_recurse(bs, true);
    if (ret < 0) {
        error_setg_errno(errp, -ret, "Failed to inactivate node");
        return ret;
    }
    return 0;
 }
 int bdrv_inactivate_all(void)
 {
    BlockDriverState *bs = NULL;
@ -7035,7 +7091,7 @@ int bdrv_inactivate_all(void)
        if (bdrv_has_bds_parent(bs, false)) {
            continue;
        }
-        ret = bdrv_inactivate_recurse(bs);
+        ret = bdrv_inactivate_recurse(bs, true);
        if (ret < 0) {
            bdrv_next_cleanup(&it);
            break;
--- a/block/accounting.c
+++ b/block/accounting.c
@ -27,7 +27,7 @@
 #include "block/accounting.h"
 #include "block/block_int.h"
 #include "qemu/timer.h"
-#include "sysemu/qtest.h"
+#include "system/qtest.h"
 static QEMUClockType clock_type = QEMU_CLOCK_REALTIME;
 static const int qtest_latency_ns = NANOSECONDS_PER_SECOND / 1000;
--- a/block/backup.c
+++ b/block/backup.c
@ -23,7 +23,7 @@
 #include "block/dirty-bitmap.h"
 #include "qapi/error.h"
 #include "qemu/cutils.h"
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 #include "qemu/bitmap.h"
 #include "qemu/error-report.h"
--- a/block/blkdebug.c
+++ b/block/blkdebug.c
@ -33,11 +33,11 @@
 #include "qemu/module.h"
 #include "qemu/option.h"
 #include "qapi/qapi-visit-block-core.h"
-#include "qapi/qmp/qdict.h"
+#include "qobject/qdict.h"
-#include "qapi/qmp/qlist.h"
+#include "qobject/qlist.h"
-#include "qapi/qmp/qstring.h"
+#include "qobject/qstring.h"
 #include "qapi/qobject-input-visitor.h"
-#include "sysemu/qtest.h"
+#include "system/qtest.h"
 /* All APIs are thread-safe */
--- a/block/blkio.c
+++ b/block/blkio.c
@ -16,9 +16,9 @@
 #include "qemu/defer-call.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
-#include "qapi/qmp/qdict.h"
+#include "qobject/qdict.h"
 #include "qemu/module.h"
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 #include "exec/memory.h" /* for ram_block_discard_disable() */
 #include "block/block-io.h"
--- a/block/blklogwrites.c
+++ b/block/blklogwrites.c
@ -14,8 +14,8 @@
 #include "qemu/sockets.h" /* for EINPROGRESS on Windows */
 #include "block/block-io.h"
 #include "block/block_int.h"
-#include "qapi/qmp/qdict.h"
+#include "qobject/qdict.h"
-#include "qapi/qmp/qstring.h"
+#include "qobject/qstring.h"
 #include "qemu/cutils.h"
 #include "qemu/module.h"
 #include "qemu/option.h"
--- a/block/blkreplay.c
+++ b/block/blkreplay.c
@ -13,7 +13,7 @@
 #include "qemu/module.h"
 #include "block/block-io.h"
 #include "block/block_int.h"
-#include "sysemu/replay.h"
+#include "system/replay.h"
 #include "qapi/error.h"
 typedef struct Request {
--- a/block/blkverify.c
+++ b/block/blkverify.c
@ -12,8 +12,8 @@
 #include "qemu/sockets.h" /* for EINPROGRESS on Windows */
 #include "block/block-io.h"
 #include "block/block_int.h"
-#include "qapi/qmp/qdict.h"
+#include "qobject/qdict.h"
-#include "qapi/qmp/qstring.h"
+#include "qobject/qstring.h"
 #include "qemu/cutils.h"
 #include "qemu/module.h"
 #include "qemu/option.h"
--- a/block/block-backend.c
+++ b/block/block-backend.c
@ -11,15 +11,15 @@
 */
 #include "qemu/osdep.h"
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 #include "block/block_int.h"
 #include "block/blockjob.h"
 #include "block/coroutines.h"
 #include "block/throttle-groups.h"
 #include "hw/qdev-core.h"
-#include "sysemu/blockdev.h"
+#include "system/blockdev.h"
-#include "sysemu/runstate.h"
+#include "system/runstate.h"
-#include "sysemu/replay.h"
+#include "system/replay.h"
 #include "qapi/error.h"
 #include "qapi/qapi-events-block.h"
 #include "qemu/id.h"
@ -262,7 +262,7 @@ static bool blk_can_inactivate(BlockBackend *blk)
     * guest.  For block job BBs that satisfy this, we can just allow
     * it.  This is the case for mirror job source, which is required
     * by libvirt non-shared block migration. */
-    if (!(blk->perm & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED))) {
+    if (!(blk->perm & ~BLK_PERM_CONSISTENT_READ)) {
        return true;
    }
@ -946,14 +946,24 @@ void blk_remove_bs(BlockBackend *blk)
 int blk_insert_bs(BlockBackend *blk, BlockDriverState *bs, Error **errp)
 {
    ThrottleGroupMember *tgm = &blk->public.throttle_group_member;
    uint64_t perm, shared_perm;
    GLOBAL_STATE_CODE();
    bdrv_ref(bs);
    bdrv_graph_wrlock();
    if ((bs->open_flags & BDRV_O_INACTIVE) && blk_can_inactivate(blk)) {
        blk->disable_perm = true;
        perm = 0;
        shared_perm = BLK_PERM_ALL;
    } else {
        perm = blk->perm;
        shared_perm = blk->shared_perm;
    }
    blk->root = bdrv_root_attach_child(bs, "root", &child_root,
                                       BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY,
-                                       blk->perm, blk->shared_perm,
+                                       perm, shared_perm, blk, errp);
                                       blk, errp);
    bdrv_graph_wrunlock();
    if (blk->root == NULL) {
        return -EPERM;
@ -1065,6 +1075,10 @@ DeviceState *blk_get_attached_dev(BlockBackend *blk)
    return blk->dev;
 }
 /*
 * The caller is responsible for releasing the value returned
 * with g_free() after use.
 */
 static char *blk_get_attached_dev_id_or_path(BlockBackend *blk, bool want_id)
 {
    DeviceState *dev = blk->dev;
@ -1079,15 +1093,15 @@ static char *blk_get_attached_dev_id_or_path(BlockBackend *blk, bool want_id)
    return object_get_canonical_path(OBJECT(dev)) ?: g_strdup("");
 }
 /*
 * Return the qdev ID, or if no ID is assigned the QOM path, of the block
 * device attached to the BlockBackend.
 */
 char *blk_get_attached_dev_id(BlockBackend *blk)
 {
    return blk_get_attached_dev_id_or_path(blk, true);
 }
 /*
 * The caller is responsible for releasing the value returned
 * with g_free() after use.
 */
 static char *blk_get_attached_dev_path(BlockBackend *blk)
 {
    return blk_get_attached_dev_id_or_path(blk, false);
@ -2416,18 +2430,6 @@ void *blk_blockalign(BlockBackend *blk, size_t size)
    return qemu_blockalign(blk ? blk_bs(blk) : NULL, size);
 }
 bool blk_op_is_blocked(BlockBackend *blk, BlockOpType op, Error **errp)
 {
    BlockDriverState *bs = blk_bs(blk);
    GLOBAL_STATE_CODE();
    GRAPH_RDLOCK_GUARD_MAINLOOP();
    if (!bs) {
        return false;
    }
    return bdrv_op_is_blocked(bs, op, errp);
 }
 /**
 * Return BB's current AioContext.  Note that this context may change
--- a/block/block-copy.c
+++ b/block/block-copy.c
@ -20,7 +20,7 @@
 #include "block/block_int-io.h"
 #include "block/dirty-bitmap.h"
 #include "block/reqlist.h"
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 #include "qemu/units.h"
 #include "qemu/co-shared-resource.h"
 #include "qemu/coroutine.h"
--- a/Show More
+++ b/Show More