119 files changed, 471 insertions, 418 deletions

diff --git a/include/block/block_int-common.h b/include/block/block_int-common.h
index ebb4e56a50..bb91a0f62f 100644
--- a/include/block/block_int-common.h
+++ b/include/block/block_int-common.h
@@ -28,6 +28,7 @@
 #include "block/block-common.h"
 #include "block/block-global-state.h"
 #include "block/snapshot.h"
+#include "qemu/clang-tsa.h"
 #include "qemu/iov.h"
 #include "qemu/rcu.h"
 #include "qemu/stats64.h"
diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index 45e6676938..09f537d06f 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -64,39 +64,7 @@
 
 /* MMU memory access macros */
 
-#if defined(CONFIG_USER_ONLY)
-#include "user/abitypes.h"
-
-/*
- * If non-zero, the guest virtual address space is a contiguous subset
- * of the host virtual address space, i.e. '-R reserved_va' is in effect
- * either from the command-line or by default.  The value is the last
- * byte of the guest address space e.g. UINT32_MAX.
- *
- * If zero, the host and guest virtual address spaces are intermingled.
- */
-extern unsigned long reserved_va;
-
-/*
- * Limit the guest addresses as best we can.
- *
- * When not using -R reserved_va, we cannot really limit the guest
- * to less address space than the host.  For 32-bit guests, this
- * acts as a sanity check that we're not giving the guest an address
- * that it cannot even represent.  For 64-bit guests... the address
- * might not be what the real kernel would give, but it is at least
- * representable in the guest.
- *
- * TODO: Improve address allocation to avoid this problem, and to
- * avoid setting bits at the top of guest addresses that might need
- * to be used for tags.
- */
-#define GUEST_ADDR_MAX_                                                 \
-    ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ?  \
-     UINT32_MAX : ~0ul)
-#define GUEST_ADDR_MAX    (reserved_va ? : GUEST_ADDR_MAX_)
-
-#else
+#if !defined(CONFIG_USER_ONLY)
 
 #include "exec/hwaddr.h"
 
@@ -136,7 +104,7 @@ static inline void stl_phys_notdirty(AddressSpace *as, hwaddr addr, uint32_t val
 #endif
 
 /* page related stuff */
-
+#include "exec/cpu-defs.h"
 #ifdef TARGET_PAGE_BITS_VARY
 # include "exec/page-vary.h"
 extern const TargetPageBits target_page;
@@ -158,84 +126,6 @@ extern const TargetPageBits target_page;
 
 #define TARGET_PAGE_ALIGN(addr) ROUND_UP((addr), TARGET_PAGE_SIZE)
 
-#if defined(CONFIG_USER_ONLY)
-void page_dump(FILE *f);
-
-typedef int (*walk_memory_regions_fn)(void *, target_ulong,
-                                      target_ulong, unsigned long);
-int walk_memory_regions(void *, walk_memory_regions_fn);
-
-int page_get_flags(target_ulong address);
-
-/**
- * page_set_flags:
- * @start: first byte of range
- * @last: last byte of range
- * @flags: flags to set
- * Context: holding mmap lock
- *
- * Modify the flags of a page and invalidate the code if necessary.
- * The flag PAGE_WRITE_ORG is positioned automatically depending
- * on PAGE_WRITE.  The mmap_lock should already be held.
- */
-void page_set_flags(target_ulong start, target_ulong last, int flags);
-
-void page_reset_target_data(target_ulong start, target_ulong last);
-
-/**
- * page_check_range
- * @start: first byte of range
- * @len: length of range
- * @flags: flags required for each page
- *
- * Return true if every page in [@start, @start+@len) has @flags set.
- * Return false if any page is unmapped.  Thus testing flags == 0 is
- * equivalent to testing for flags == PAGE_VALID.
- */
-bool page_check_range(target_ulong start, target_ulong last, int flags);
-
-/**
- * page_check_range_empty:
- * @start: first byte of range
- * @last: last byte of range
- * Context: holding mmap lock
- *
- * Return true if the entire range [@start, @last] is unmapped.
- * The memory lock must be held so that the caller will can ensure
- * the result stays true until a new mapping can be installed.
- */
-bool page_check_range_empty(target_ulong start, target_ulong last);
-
-/**
- * page_find_range_empty
- * @min: first byte of search range
- * @max: last byte of search range
- * @len: size of the hole required
- * @align: alignment of the hole required (power of 2)
- *
- * If there is a range [x, x+@len) within [@min, @max] such that
- * x % @align == 0, then return x.  Otherwise return -1.
- * The memory lock must be held, as the caller will want to ensure
- * the returned range stays empty until a new mapping can be installed.
- */
-target_ulong page_find_range_empty(target_ulong min, target_ulong max,
-                                   target_ulong len, target_ulong align);
-
-/**
- * page_get_target_data(address)
- * @address: guest virtual address
- *
- * Return TARGET_PAGE_DATA_SIZE bytes of out-of-band data to associate
- * with the guest page at @address, allocating it if necessary.  The
- * caller should already have verified that the address is valid.
- *
- * The memory will be freed when the guest page is deallocated,
- * e.g. with the munmap system call.
- */
-void *page_get_target_data(target_ulong address)
-    __attribute__((returns_nonnull));
-#endif
-
 CPUArchState *cpu_copy(CPUArchState *env);
 
 /* Flags for use in ENV->INTERRUPT_PENDING.
@@ -290,8 +180,12 @@ CPUArchState *cpu_copy(CPUArchState *env);
      | CPU_INTERRUPT_TGT_EXT_3   \
      | CPU_INTERRUPT_TGT_EXT_4)
 
+#include "cpu.h"
+
 #ifdef CONFIG_USER_ONLY
 
+static inline int cpu_mmu_index(CPUState *cs, bool ifetch);
+
 /*
  * Allow some level of source compatibility with softmmu.  We do not
  * support any of the more exotic features, so only invalid pages may
@@ -381,7 +275,6 @@ static inline bool tlb_hit(uint64_t tlb_addr, vaddr addr)
 #endif /* !CONFIG_USER_ONLY */
 
 /* Validate correct placement of CPUArchState. */
-#include "cpu.h"
 QEMU_BUILD_BUG_ON(offsetof(ArchCPU, parent_obj) != 0);
 QEMU_BUILD_BUG_ON(offsetof(ArchCPU, env) != sizeof(CPUState));
 
diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
index 638dc806a5..b1d76d6985 100644
--- a/include/exec/cpu-common.h
+++ b/include/exec/cpu-common.h
@@ -186,12 +186,7 @@ int cpu_memory_rw_debug(CPUState *cpu, vaddr addr,
 void list_cpus(void);
 
 #ifdef CONFIG_TCG
-
-bool tcg_cflags_has(CPUState *cpu, uint32_t flags);
-void tcg_cflags_set(CPUState *cpu, uint32_t flags);
-
-/* current cflags for hashing/comparison */
-uint32_t curr_cflags(CPUState *cpu);
+#include "qemu/atomic.h"
 
 /**
  * cpu_unwind_state_data:
@@ -218,6 +213,23 @@ bool cpu_unwind_state_data(CPUState *cpu, uintptr_t host_pc, uint64_t *data);
  */
 bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc);
 
+/**
+ * cpu_loop_exit_requested:
+ * @cpu: The CPU state to be tested
+ *
+ * Indicate if somebody asked for a return of the CPU to the main loop
+ * (e.g., via cpu_exit() or cpu_interrupt()).
+ *
+ * This is helpful for architectures that support interruptible
+ * instructions. After writing back all state to registers/memory, this
+ * call can be used to check if it makes sense to return to the main loop
+ * or to continue executing the interruptible instruction.
+ */
+static inline bool cpu_loop_exit_requested(CPUState *cpu)
+{
+    return (int32_t)qatomic_read(&cpu->neg.icount_decr.u32) < 0;
+}
+
 G_NORETURN void cpu_loop_exit_noexc(CPUState *cpu);
 G_NORETURN void cpu_loop_exit_atomic(CPUState *cpu, uintptr_t pc);
 #endif /* CONFIG_TCG */
diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index 0dbef3010c..ae18398fa9 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -23,14 +23,6 @@
 #error cpu.h included from common code
 #endif
 
-#include "qemu/host-utils.h"
-#include "qemu/thread.h"
-#ifndef CONFIG_USER_ONLY
-#include "exec/hwaddr.h"
-#endif
-#include "exec/memattrs.h"
-#include "hw/core/cpu.h"
-
 #include "cpu-param.h"
 
 #ifndef TARGET_LONG_BITS
diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index dac12bd8eb..769e9fc440 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -67,57 +67,13 @@
 #endif
 
 #include "exec/memopidx.h"
+#include "exec/vaddr.h"
 #include "exec/abi_ptr.h"
 #include "exec/mmu-access-type.h"
 #include "qemu/int128.h"
 
 #if defined(CONFIG_USER_ONLY)
-
-#include "user/guest-base.h"
-
-#ifndef TARGET_TAGGED_ADDRESSES
-static inline abi_ptr cpu_untagged_addr(CPUState *cs, abi_ptr x)
-{
-    return x;
-}
-#endif
-
-/* All direct uses of g2h and h2g need to go away for usermode softmmu.  */
-static inline void *g2h_untagged(abi_ptr x)
-{
-    return (void *)((uintptr_t)(x) + guest_base);
-}
-
-static inline void *g2h(CPUState *cs, abi_ptr x)
-{
-    return g2h_untagged(cpu_untagged_addr(cs, x));
-}
-
-static inline bool guest_addr_valid_untagged(abi_ulong x)
-{
-    return x <= GUEST_ADDR_MAX;
-}
-
-static inline bool guest_range_valid_untagged(abi_ulong start, abi_ulong len)
-{
-    return len - 1 <= GUEST_ADDR_MAX && start <= GUEST_ADDR_MAX - len + 1;
-}
-
-#define h2g_valid(x) \
-    (HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS || \
-     (uintptr_t)(x) - guest_base <= GUEST_ADDR_MAX)
-
-#define h2g_nocheck(x) ({ \
-    uintptr_t __ret = (uintptr_t)(x) - guest_base; \
-    (abi_ptr)__ret; \
-})
-
-#define h2g(x) ({ \
-    /* Check if given address fits target address space */ \
-    assert(h2g_valid(x)); \
-    h2g_nocheck(x); \
-})
-
+#include "user/guest-host.h"
 #endif /* CONFIG_USER_ONLY */
 
 uint32_t cpu_ldub_data(CPUArchState *env, abi_ptr ptr);
@@ -375,7 +331,7 @@ static inline void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
     return g2h(env_cpu(env), addr);
 }
 #else
-void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
+void *tlb_vaddr_to_host(CPUArchState *env, vaddr addr,
                         MMUAccessType access_type, int mmu_idx);
 #endif
 
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index 2e4c4cc4b4..d9045c9ac4 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -22,29 +22,10 @@
 
 #include "cpu.h"
 #if defined(CONFIG_USER_ONLY)
-#include "exec/abi_ptr.h"
 #include "exec/cpu_ldst.h"
 #endif
 #include "exec/mmu-access-type.h"
 #include "exec/translation-block.h"
-#include "qemu/clang-tsa.h"
-
-/**
- * cpu_loop_exit_requested:
- * @cpu: The CPU state to be tested
- *
- * Indicate if somebody asked for a return of the CPU to the main loop
- * (e.g., via cpu_exit() or cpu_interrupt()).
- *
- * This is helpful for architectures that support interruptible
- * instructions. After writing back all state to registers/memory, this
- * call can be used to check if it makes sense to return to the main loop
- * or to continue executing the interruptible instruction.
- */
-static inline bool cpu_loop_exit_requested(CPUState *cpu)
-{
-    return (int32_t)qatomic_read(&cpu->neg.icount_decr.u32) < 0;
-}
 
 #if !defined(CONFIG_USER_ONLY) && defined(CONFIG_TCG)
 /* cputlb.c */
@@ -519,75 +500,7 @@ static inline tb_page_addr_t get_page_addr_code(CPUArchState *env,
     return get_page_addr_code_hostp(env, addr, NULL);
 }
 
-#if defined(CONFIG_USER_ONLY)
-void TSA_NO_TSA mmap_lock(void);
-void TSA_NO_TSA mmap_unlock(void);
-bool have_mmap_lock(void);
-
-static inline void mmap_unlock_guard(void *unused)
-{
-    mmap_unlock();
-}
-
-#define WITH_MMAP_LOCK_GUARD()                                            \
-    for (int _mmap_lock_iter __attribute__((cleanup(mmap_unlock_guard)))  \
-         = (mmap_lock(), 0); _mmap_lock_iter == 0; _mmap_lock_iter = 1)
-
-/**
- * adjust_signal_pc:
- * @pc: raw pc from the host signal ucontext_t.
- * @is_write: host memory operation was write, or read-modify-write.
- *
- * Alter @pc as required for unwinding.  Return the type of the
- * guest memory access -- host reads may be for guest execution.
- */
-MMUAccessType adjust_signal_pc(uintptr_t *pc, bool is_write);
-
-/**
- * handle_sigsegv_accerr_write:
- * @cpu: the cpu context
- * @old_set: the sigset_t from the signal ucontext_t
- * @host_pc: the host pc, adjusted for the signal
- * @host_addr: the host address of the fault
- *
- * Return true if the write fault has been handled, and should be re-tried.
- */
-bool handle_sigsegv_accerr_write(CPUState *cpu, sigset_t *old_set,
-                                 uintptr_t host_pc, abi_ptr guest_addr);
-
-/**
- * cpu_loop_exit_sigsegv:
- * @cpu: the cpu context
- * @addr: the guest address of the fault
- * @access_type: access was read/write/execute
- * @maperr: true for invalid page, false for permission fault
- * @ra: host pc for unwinding
- *
- * Use the TCGCPUOps hook to record cpu state, do guest operating system
- * specific things to raise SIGSEGV, and jump to the main cpu loop.
- */
-G_NORETURN void cpu_loop_exit_sigsegv(CPUState *cpu, target_ulong addr,
-                                      MMUAccessType access_type,
-                                      bool maperr, uintptr_t ra);
-
-/**
- * cpu_loop_exit_sigbus:
- * @cpu: the cpu context
- * @addr: the guest address of the alignment fault
- * @access_type: access was read/write/execute
- * @ra: host pc for unwinding
- *
- * Use the TCGCPUOps hook to record cpu state, do guest operating system
- * specific things to raise SIGBUS, and jump to the main cpu loop.
- */
-G_NORETURN void cpu_loop_exit_sigbus(CPUState *cpu, target_ulong addr,
-                                     MMUAccessType access_type,
-                                     uintptr_t ra);
-
-#else
-static inline void mmap_lock(void) {}
-static inline void mmap_unlock(void) {}
-#define WITH_MMAP_LOCK_GUARD()
+#if !defined(CONFIG_USER_ONLY)
 
 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length);
 void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t length);
diff --git a/include/exec/page-protection.h b/include/exec/page-protection.h
index c43231af8b..bae3355f62 100644
--- a/include/exec/page-protection.h
+++ b/include/exec/page-protection.h
@@ -38,4 +38,28 @@
  */
 #define PAGE_PASSTHROUGH 0x0800
 
+#ifdef CONFIG_USER_ONLY
+
+#include "qemu/clang-tsa.h"
+
+void TSA_NO_TSA mmap_lock(void);
+void TSA_NO_TSA mmap_unlock(void);
+bool have_mmap_lock(void);
+
+static inline void mmap_unlock_guard(void *unused)
+{
+    mmap_unlock();
+}
+
+#define WITH_MMAP_LOCK_GUARD() \
+    for (int _mmap_lock_iter __attribute__((cleanup(mmap_unlock_guard))) \
+         = (mmap_lock(), 0); _mmap_lock_iter == 0; _mmap_lock_iter = 1)
+#else
+
+static inline void mmap_lock(void) {}
+static inline void mmap_unlock(void) {}
+#define WITH_MMAP_LOCK_GUARD()
+
+#endif /* !CONFIG_USER_ONLY */
+
 #endif
diff --git a/include/exec/ram_addr.h b/include/exec/ram_addr.h
index 891c44cf2d..ff157c1f42 100644
--- a/include/exec/ram_addr.h
+++ b/include/exec/ram_addr.h
@@ -21,13 +21,16 @@
 
 #ifndef CONFIG_USER_ONLY
 #include "cpu.h"
-#include "sysemu/xen.h"
-#include "sysemu/tcg.h"
+#include "system/xen.h"
+#include "system/tcg.h"
 #include "exec/ramlist.h"
 #include "exec/ramblock.h"
 #include "exec/exec-all.h"
 #include "qemu/rcu.h"
 
+#include "exec/hwaddr.h"
+#include "exec/cpu-common.h"
+
 extern uint64_t total_dirty_pages;
 
 /**
diff --git a/include/exec/translate-all.h b/include/exec/translate-all.h
deleted file mode 100644
index 85c9460c7c..0000000000
--- a/include/exec/translate-all.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- *  Translated block handling
- *
- *  Copyright (c) 2003 Fabrice Bellard
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, see <http://www.gnu.org/licenses/>.
- */
-#ifndef TRANSLATE_ALL_H
-#define TRANSLATE_ALL_H
-
-#include "exec/exec-all.h"
-
-
-/* translate-all.c */
-void tb_check_watchpoint(CPUState *cpu, uintptr_t retaddr);
-
-#ifdef CONFIG_USER_ONLY
-void page_protect(tb_page_addr_t page_addr);
-int page_unprotect(target_ulong address, uintptr_t pc);
-#endif
-
-#endif /* TRANSLATE_ALL_H */
diff --git a/include/exec/translation-block.h b/include/exec/translation-block.h
index a6d1af6e9b..3c69bc71a9 100644
--- a/include/exec/translation-block.h
+++ b/include/exec/translation-block.h
@@ -7,8 +7,10 @@
 #ifndef EXEC_TRANSLATION_BLOCK_H
 #define EXEC_TRANSLATION_BLOCK_H
 
+#include "qemu/atomic.h"
 #include "qemu/thread.h"
 #include "exec/cpu-common.h"
+#include "exec/vaddr.h"
 #ifdef CONFIG_USER_ONLY
 #include "qemu/interval-tree.h"
 #endif
@@ -152,4 +154,7 @@ static inline uint32_t tb_cflags(const TranslationBlock *tb)
     return qatomic_read(&tb->cflags);
 }
 
+bool tcg_cflags_has(CPUState *cpu, uint32_t flags);
+void tcg_cflags_set(CPUState *cpu, uint32_t flags);
+
 #endif /* EXEC_TRANSLATION_BLOCK_H */
diff --git a/include/exec/translator.h b/include/exec/translator.h
index d8dcb77b5f..41e2a41180 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -267,16 +267,15 @@ bool translator_st(const DisasContextBase *db, void *dest,
  */
 size_t translator_st_len(const DisasContextBase *db);
 
-#ifdef COMPILING_PER_TARGET
-/*
- * Return whether addr is on the same page as where disassembly started.
+/**
+ * translator_is_same_page
+ * @db: disassembly context
+ * @addr: virtual address within TB
+ *
+ * Return whether @addr is on the same page as where disassembly started.
  * Translators can use this to enforce the rule that only single-insn
  * translation blocks are allowed to cross page boundaries.
  */
-static inline bool is_same_page(const DisasContextBase *db, vaddr addr)
-{
-    return ((addr ^ db->pc_first) & TARGET_PAGE_MASK) == 0;
-}
-#endif
+bool translator_is_same_page(const DisasContextBase *db, vaddr addr);
 
 #endif /* EXEC__TRANSLATOR_H */
diff --git a/include/hw/acpi/tpm.h b/include/hw/acpi/tpm.h
index 579c45f5ba..9d0fe6f2f9 100644
--- a/include/hw/acpi/tpm.h
+++ b/include/hw/acpi/tpm.h
@@ -19,7 +19,7 @@
 #include "qemu/units.h"
 #include "hw/registerfields.h"
 #include "hw/acpi/aml-build.h"
-#include "sysemu/tpm.h"
+#include "system/tpm.h"
 
 #ifdef CONFIG_TPM
 
diff --git a/include/hw/arm/allwinner-a10.h b/include/hw/arm/allwinner-a10.h
index e5815b0d12..445ba1be21 100644
--- a/include/hw/arm/allwinner-a10.h
+++ b/include/hw/arm/allwinner-a10.h
@@ -14,7 +14,7 @@
 #include "hw/i2c/allwinner-i2c.h"
 #include "hw/ssi/allwinner-a10-spi.h"
 #include "hw/watchdog/allwinner-wdt.h"
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 
 #include "target/arm/cpu.h"
 #include "qom/object.h"
diff --git a/include/hw/arm/allwinner-h3.h b/include/hw/arm/allwinner-h3.h
index 24ba4e1bf4..db897c86f0 100644
--- a/include/hw/arm/allwinner-h3.h
+++ b/include/hw/arm/allwinner-h3.h
@@ -49,7 +49,7 @@
 #include "hw/i2c/allwinner-i2c.h"
 #include "hw/watchdog/allwinner-wdt.h"
 #include "target/arm/cpu.h"
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 
 /**
  * Allwinner H3 device list
diff --git a/include/hw/arm/allwinner-r40.h b/include/hw/arm/allwinner-r40.h
index 614e74b7ed..f8a0e94251 100644
--- a/include/hw/arm/allwinner-r40.h
+++ b/include/hw/arm/allwinner-r40.h
@@ -35,7 +35,7 @@
 #include "hw/usb/hcd-ehci.h"
 #include "hw/watchdog/allwinner-wdt.h"
 #include "target/arm/cpu.h"
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 
 enum {
     AW_R40_DEV_SRAM_A1,
diff --git a/include/hw/arm/virt.h b/include/hw/arm/virt.h
index aca4f8061b..c8e94e6aed 100644
--- a/include/hw/arm/virt.h
+++ b/include/hw/arm/virt.h
@@ -36,7 +36,7 @@
 #include "hw/arm/boot.h"
 #include "hw/arm/bsa.h"
 #include "hw/block/flash.h"
-#include "sysemu/kvm.h"
+#include "system/kvm.h"
 #include "hw/intc/arm_gicv3_common.h"
 #include "qom/object.h"
 
diff --git a/include/hw/boards.h b/include/hw/boards.h
index 5723ee76bd..2ad711e56d 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -4,8 +4,8 @@
 #define HW_BOARDS_H
 
 #include "exec/memory.h"
-#include "sysemu/hostmem.h"
-#include "sysemu/blockdev.h"
+#include "system/hostmem.h"
+#include "system/blockdev.h"
 #include "qapi/qapi-types-machine.h"
 #include "qemu/module.h"
 #include "qom/object.h"
diff --git a/include/hw/core/sysemu-cpu-ops.h b/include/hw/core/sysemu-cpu-ops.h
index 24d003fe04..0df5b058f5 100644
--- a/include/hw/core/sysemu-cpu-ops.h
+++ b/include/hw/core/sysemu-cpu-ops.h
@@ -7,8 +7,8 @@
  * See the COPYING file in the top-level directory.
  */
 
-#ifndef SYSEMU_CPU_OPS_H
-#define SYSEMU_CPU_OPS_H
+#ifndef SYSTEM_CPU_OPS_H
+#define SYSTEM_CPU_OPS_H
 
 #include "hw/core/cpu.h"
 
@@ -89,4 +89,4 @@ typedef struct SysemuCPUOps {
 
 } SysemuCPUOps;
 
-#endif /* SYSEMU_CPU_OPS_H */
+#endif /* SYSTEM_CPU_OPS_H */
diff --git a/include/hw/dma/xlnx-zdma.h b/include/hw/dma/xlnx-zdma.h
index efc75217d5..9c57c49910 100644
--- a/include/hw/dma/xlnx-zdma.h
+++ b/include/hw/dma/xlnx-zdma.h
@@ -31,7 +31,7 @@
 
 #include "hw/sysbus.h"
 #include "hw/register.h"
-#include "sysemu/dma.h"
+#include "system/dma.h"
 #include "qom/object.h"
 
 #define ZDMA_R_MAX (0x204 / 4)
diff --git a/include/hw/dma/xlnx_dpdma.h b/include/hw/dma/xlnx_dpdma.h
index 40537a848b..1ec0d265be 100644
--- a/include/hw/dma/xlnx_dpdma.h
+++ b/include/hw/dma/xlnx_dpdma.h
@@ -27,7 +27,7 @@
 
 #include "hw/sysbus.h"
 #include "ui/console.h"
-#include "sysemu/dma.h"
+#include "system/dma.h"
 #include "qom/object.h"
 
 #define XLNX_DPDMA_REG_ARRAY_SIZE (0x1000 >> 2)
diff --git a/include/hw/hyperv/vmbus.h b/include/hw/hyperv/vmbus.h
index 5c505852f2..06b948bbb0 100644
--- a/include/hw/hyperv/vmbus.h
+++ b/include/hw/hyperv/vmbus.h
@@ -10,8 +10,8 @@
 #ifndef HW_HYPERV_VMBUS_H
 #define HW_HYPERV_VMBUS_H
 
-#include "sysemu/sysemu.h"
-#include "sysemu/dma.h"
+#include "system/system.h"
+#include "system/dma.h"
 #include "hw/qdev-core.h"
 #include "migration/vmstate.h"
 #include "hw/hyperv/vmbus-proto.h"
diff --git a/include/hw/i386/hostmem-epc.h b/include/hw/i386/hostmem-epc.h
index 846c726085..3988deca85 100644
--- a/include/hw/i386/hostmem-epc.h
+++ b/include/hw/i386/hostmem-epc.h
@@ -12,7 +12,7 @@
 #ifndef QEMU_HOSTMEM_EPC_H
 #define QEMU_HOSTMEM_EPC_H
 
-#include "sysemu/hostmem.h"
+#include "system/hostmem.h"
 
 #define TYPE_MEMORY_BACKEND_EPC "memory-backend-epc"
 
diff --git a/include/hw/ide/ide-dev.h b/include/hw/ide/ide-dev.h
index 9a0d71db4e..92e8868780 100644
--- a/include/hw/ide/ide-dev.h
+++ b/include/hw/ide/ide-dev.h
@@ -20,7 +20,7 @@
 #ifndef IDE_DEV_H
 #define IDE_DEV_H
 
-#include "sysemu/dma.h"
+#include "system/dma.h"
 #include "hw/qdev-properties.h"
 #include "hw/block/block.h"
 
diff --git a/include/hw/isa/superio.h b/include/hw/isa/superio.h
index 0dc45104d4..14d051348b 100644
--- a/include/hw/isa/superio.h
+++ b/include/hw/isa/superio.h
@@ -10,7 +10,7 @@
 #ifndef HW_ISA_SUPERIO_H
 #define HW_ISA_SUPERIO_H
 
-#include "sysemu/sysemu.h"
+#include "system/system.h"
 #include "hw/isa/isa.h"
 #include "qom/object.h"
 
diff --git a/include/hw/nvram/fw_cfg.h b/include/hw/nvram/fw_cfg.h
index c60361dc9e..47578ccc7f 100644
--- a/include/hw/nvram/fw_cfg.h
+++ b/include/hw/nvram/fw_cfg.h
@@ -4,7 +4,7 @@
 #include "exec/hwaddr.h"
 #include "standard-headers/linux/qemu_fw_cfg.h"
 #include "hw/sysbus.h"
-#include "sysemu/dma.h"
+#include "system/dma.h"
 #include "qom/object.h"
 
 #define TYPE_FW_CFG     "fw_cfg"
diff --git a/include/hw/nvram/xlnx-bbram.h b/include/hw/nvram/xlnx-bbram.h
index bce8e89d90..58acbe9f51 100644
--- a/include/hw/nvram/xlnx-bbram.h
+++ b/include/hw/nvram/xlnx-bbram.h
@@ -26,7 +26,7 @@
 #ifndef XLNX_BBRAM_H
 #define XLNX_BBRAM_H
 
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 #include "hw/qdev-core.h"
 #include "hw/irq.h"
 #include "hw/sysbus.h"
diff --git a/include/hw/nvram/xlnx-efuse.h b/include/hw/nvram/xlnx-efuse.h
index cff7924106..ef14fb0528 100644
--- a/include/hw/nvram/xlnx-efuse.h
+++ b/include/hw/nvram/xlnx-efuse.h
@@ -27,7 +27,7 @@
 #ifndef XLNX_EFUSE_H
 #define XLNX_EFUSE_H
 
-#include "sysemu/block-backend.h"
+#include "system/block-backend.h"
 #include "hw/qdev-core.h"
 
 #define TYPE_XLNX_EFUSE "xlnx-efuse"
diff --git a/include/hw/pci/pci.h b/include/hw/pci/pci.h
index 603c456c3a..cefeb388bd 100644
--- a/include/hw/pci/pci.h
+++ b/include/hw/pci/pci.h
@@ -2,8 +2,8 @@
 #define QEMU_PCI_H
 
 #include "exec/memory.h"
-#include "sysemu/dma.h"
-#include "sysemu/host_iommu_device.h"
+#include "system/dma.h"
+#include "system/host_iommu_device.h"
 
 /* PCI includes legacy ISA access.  */
 #include "hw/isa/isa.h"
diff --git a/include/hw/ppc/mac_dbdma.h b/include/hw/ppc/mac_dbdma.h
index c774f6bf84..672c2be471 100644
--- a/include/hw/ppc/mac_dbdma.h
+++ b/include/hw/ppc/mac_dbdma.h
@@ -25,7 +25,7 @@
 
 #include "exec/memory.h"
 #include "qemu/iov.h"
-#include "sysemu/dma.h"
+#include "system/dma.h"
 #include "hw/sysbus.h"
 #include "qom/object.h"
 
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index af4aa1cb0f..a6c0547e31 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -2,7 +2,7 @@
 #define HW_SPAPR_H
 
 #include "qemu/units.h"
-#include "sysemu/dma.h"
+#include "system/dma.h"
 #include "hw/boards.h"
 #include "hw/ppc/spapr_drc.h"
 #include "hw/mem/pc-dimm.h"
diff --git a/include/hw/ppc/spapr_drc.h b/include/hw/ppc/spapr_drc.h
index 02a63b3666..9ff42909c9 100644
--- a/include/hw/ppc/spapr_drc.h
+++ b/include/hw/ppc/spapr_drc.h
@@ -15,7 +15,7 @@
 
 #include <libfdt.h>
 #include "qom/object.h"
-#include "sysemu/runstate.h"
+#include "system/runstate.h"
 #include "hw/qdev-core.h"
 #include "qapi/error.h"
 
diff --git a/include/hw/ppc/spapr_vio.h b/include/hw/ppc/spapr_vio.h
index 7eae1a4847..b8de4b06fb 100644
--- a/include/hw/ppc/spapr_vio.h
+++ b/include/hw/ppc/spapr_vio.h
@@ -23,7 +23,7 @@
  */
 
 #include "hw/ppc/spapr.h"
-#include "sysemu/dma.h"
+#include "system/dma.h"
 #include "hw/irq.h"
 #include "qom/object.h"
 
diff --git a/include/hw/ppc/xive.h b/include/hw/ppc/xive.h
index ebee982528..ea5d03a346 100644
--- a/include/hw/ppc/xive.h
+++ b/include/hw/ppc/xive.h
@@ -140,7 +140,7 @@
 #ifndef PPC_XIVE_H
 #define PPC_XIVE_H
 
-#include "sysemu/kvm.h"
+#include "system/kvm.h"
 #include "hw/sysbus.h"
 #include "hw/ppc/xive_regs.h"
 #include "qom/object.h"
diff --git a/include/hw/riscv/numa.h b/include/hw/riscv/numa.h
index 8f5280211d..147f01619b 100644
--- a/include/hw/riscv/numa.h
+++ b/include/hw/riscv/numa.h
@@ -21,7 +21,7 @@
 
 #include "hw/boards.h"
 #include "hw/sysbus.h"
-#include "sysemu/numa.h"
+#include "system/numa.h"
 
 /**
  * riscv_socket_count:
diff --git a/include/hw/s390x/css.h b/include/hw/s390x/css.h
index 8289e45837..cd97e2b707 100644
--- a/include/hw/s390x/css.h
+++ b/include/hw/s390x/css.h
@@ -15,7 +15,7 @@
 #include "hw/s390x/adapter.h"
 #include "hw/s390x/s390_flic.h"
 #include "hw/s390x/ioinst.h"
-#include "sysemu/kvm.h"
+#include "system/kvm.h"
 #include "target/s390x/cpu-qom.h"
 
 /* Channel subsystem constants. */
diff --git a/include/hw/s390x/s390-pci-inst.h b/include/hw/s390x/s390-pci-inst.h
index a55c448aad..5cb8da540b 100644
--- a/include/hw/s390x/s390-pci-inst.h
+++ b/include/hw/s390x/s390-pci-inst.h
@@ -15,7 +15,7 @@
 #define HW_S390_PCI_INST_H
 
 #include "s390-pci-bus.h"
-#include "sysemu/dma.h"
+#include "system/dma.h"
 
 /* Load/Store status codes */
 #define ZPCI_PCI_ST_FUNC_NOT_ENABLED        4
diff --git a/include/hw/tricore/triboard.h b/include/hw/tricore/triboard.h
index 4fdd2d7d97..8250470643 100644
--- a/include/hw/tricore/triboard.h
+++ b/include/hw/tricore/triboard.h
@@ -20,7 +20,7 @@
 
 #include "qapi/error.h"
 #include "hw/boards.h"
-#include "sysemu/sysemu.h"
+#include "system/system.h"
 #include "exec/address-spaces.h"
 #include "qom/object.h"
 
diff --git a/include/hw/vfio/vfio-common.h b/include/hw/vfio/vfio-common.h
index e0ce6ec3a9..d57111843d 100644
--- a/include/hw/vfio/vfio-common.h
+++ b/include/hw/vfio/vfio-common.h
@@ -29,10 +29,10 @@
 #ifdef CONFIG_LINUX
 #include <linux/vfio.h>
 #endif
-#include "sysemu/sysemu.h"
+#include "system/system.h"
 #include "hw/vfio/vfio-container-base.h"
-#include "sysemu/host_iommu_device.h"
-#include "sysemu/iommufd.h"
+#include "system/host_iommu_device.h"
+#include "system/iommufd.h"
 
 #define VFIO_MSG_PREFIX "vfio %s: "
 
diff --git a/include/hw/virtio/virtio-balloon.h b/include/hw/virtio/virtio-balloon.h
index 5139cf8ab6..b12c18a43b 100644
--- a/include/hw/virtio/virtio-balloon.h
+++ b/include/hw/virtio/virtio-balloon.h
@@ -17,7 +17,7 @@
 
 #include "standard-headers/linux/virtio_balloon.h"
 #include "hw/virtio/virtio.h"
-#include "sysemu/iothread.h"
+#include "system/iothread.h"
 #include "qom/object.h"
 
 #define TYPE_VIRTIO_BALLOON "virtio-balloon-device"
diff --git a/include/hw/virtio/virtio-blk.h b/include/hw/virtio/virtio-blk.h
index 5c14110c4b..8a16218c40 100644
--- a/include/hw/virtio/virtio-blk.h
+++ b/include/hw/virtio/virtio-blk.h
@@ -17,9 +17,9 @@
 #include "standard-headers/linux/virtio_blk.h"
 #include "hw/virtio/virtio.h"
 #include "hw/block/block.h"
-#include "sysemu/iothread.h"
-#include "sysemu/block-backend.h"
-#include "sysemu/block-ram-registrar.h"
+#include "system/iothread.h"
+#include "system/block-backend.h"
+#include "system/block-ram-registrar.h"
 #include "qom/object.h"
 #include "qapi/qapi-types-virtio.h"
 
diff --git a/include/hw/virtio/virtio-crypto.h b/include/hw/virtio/virtio-crypto.h
index 348749f5d5..2d56513693 100644
--- a/include/hw/virtio/virtio-crypto.h
+++ b/include/hw/virtio/virtio-crypto.h
@@ -16,8 +16,8 @@
 
 #include "standard-headers/linux/virtio_crypto.h"
 #include "hw/virtio/virtio.h"
-#include "sysemu/iothread.h"
-#include "sysemu/cryptodev.h"
+#include "system/iothread.h"
+#include "system/cryptodev.h"
 #include "qom/object.h"
 
 
diff --git a/include/hw/virtio/virtio-gpu.h b/include/hw/virtio/virtio-gpu.h
index 8c977beebd..bd93672185 100644
--- a/include/hw/virtio/virtio-gpu.h
+++ b/include/hw/virtio/virtio-gpu.h
@@ -19,7 +19,7 @@
 #include "ui/console.h"
 #include "hw/virtio/virtio.h"
 #include "qemu/log.h"
-#include "sysemu/vhost-user-backend.h"
+#include "system/vhost-user-backend.h"
 
 #include "standard-headers/linux/virtio_gpu.h"
 #include "standard-headers/linux/virtio_ids.h"
diff --git a/include/hw/virtio/virtio-input.h b/include/hw/virtio/virtio-input.h
index e69c0aeca3..e097b0b521 100644
--- a/include/hw/virtio/virtio-input.h
+++ b/include/hw/virtio/virtio-input.h
@@ -4,7 +4,7 @@
 #include "hw/virtio/vhost-user.h"
 #include "hw/virtio/vhost-user-base.h"
 #include "ui/input.h"
-#include "sysemu/vhost-user-backend.h"
+#include "system/vhost-user-backend.h"
 
 /* ----------------------------------------------------------------- */
 /* virtio input protocol                                             */
diff --git a/include/hw/virtio/virtio-iommu.h b/include/hw/virtio/virtio-iommu.h
index 7db4210b16..3b86050f2c 100644
--- a/include/hw/virtio/virtio-iommu.h
+++ b/include/hw/virtio/virtio-iommu.h
@@ -25,7 +25,7 @@
 #include "hw/pci/pci.h"
 #include "qom/object.h"
 #include "qapi/qapi-types-virtio.h"
-#include "sysemu/host_iommu_device.h"
+#include "system/host_iommu_device.h"
 
 #define TYPE_VIRTIO_IOMMU "virtio-iommu-device"
 #define TYPE_VIRTIO_IOMMU_PCI "virtio-iommu-pci"
diff --git a/include/hw/virtio/virtio-mem.h b/include/hw/virtio/virtio-mem.h
index a1af144c28..b23946b770 100644
--- a/include/hw/virtio/virtio-mem.h
+++ b/include/hw/virtio/virtio-mem.h
@@ -17,7 +17,7 @@
 #include "hw/resettable.h"
 #include "hw/virtio/virtio.h"
 #include "qapi/qapi-types-misc.h"
-#include "sysemu/hostmem.h"
+#include "system/hostmem.h"
 #include "qom/object.h"
 
 #define TYPE_VIRTIO_MEM "virtio-mem"
diff --git a/include/hw/virtio/virtio-rng.h b/include/hw/virtio/virtio-rng.h
index 82734255d9..7e6d27f9f0 100644
--- a/include/hw/virtio/virtio-rng.h
+++ b/include/hw/virtio/virtio-rng.h
@@ -13,7 +13,7 @@
 #define QEMU_VIRTIO_RNG_H
 
 #include "hw/virtio/virtio.h"
-#include "sysemu/rng.h"
+#include "system/rng.h"
 #include "standard-headers/linux/virtio_rng.h"
 #include "qom/object.h"
 
diff --git a/include/hw/virtio/virtio-scsi.h b/include/hw/virtio/virtio-scsi.h
index 7be0105918..be230cd4bf 100644
--- a/include/hw/virtio/virtio-scsi.h
+++ b/include/hw/virtio/virtio-scsi.h
@@ -22,7 +22,7 @@
 #include "hw/virtio/virtio.h"
 #include "hw/scsi/scsi.h"
 #include "chardev/char-fe.h"
-#include "sysemu/iothread.h"
+#include "system/iothread.h"
 
 #define TYPE_VIRTIO_SCSI_COMMON "virtio-scsi-common"
 OBJECT_DECLARE_SIMPLE_TYPE(VirtIOSCSICommon, VIRTIO_SCSI_COMMON)
diff --git a/include/hw/xen/xen-block.h b/include/hw/xen/xen-block.h
index d692ea7580..449a7f75fb 100644
--- a/include/hw/xen/xen-block.h
+++ b/include/hw/xen/xen-block.h
@@ -11,7 +11,7 @@
 #include "hw/xen/xen-bus.h"
 #include "hw/block/block.h"
 #include "hw/block/dataplane/xen-block.h"
-#include "sysemu/iothread.h"
+#include "system/iothread.h"
 #include "qom/object.h"
 
 typedef enum XenBlockVdevType {
diff --git a/include/hw/xen/xen-hvm-common.h b/include/hw/xen/xen-hvm-common.h
index 0f586c4384..c1ea2c0d78 100644
--- a/include/hw/xen/xen-hvm-common.h
+++ b/include/hw/xen/xen-hvm-common.h
@@ -8,10 +8,10 @@
 #include "hw/hw.h"
 #include "hw/xen/xen_native.h"
 #include "hw/xen/xen-legacy-backend.h"
-#include "sysemu/runstate.h"
-#include "sysemu/sysemu.h"
-#include "sysemu/xen.h"
-#include "sysemu/xen-mapcache.h"
+#include "system/runstate.h"
+#include "system/system.h"
+#include "system/xen.h"
+#include "system/xen-mapcache.h"
 #include "qemu/error-report.h"
 #include <xen/hvm/ioreq.h>
 
diff --git a/include/hw/xen/xen.h b/include/hw/xen/xen.h
index ecb89ecfc1..e94c6e5a31 100644
--- a/include/hw/xen/xen.h
+++ b/include/hw/xen/xen.h
@@ -24,8 +24,6 @@
 #define __XEN_INTERFACE_VERSION__ 0x00040e00
 #endif
 
-#include "exec/cpu-common.h"
-
 /* xen-machine.c */
 enum xen_mode {
     XEN_DISABLED = 0, /* xen support disabled (default) */
diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
index ff3084538b..e545bbf620 100644
--- a/include/qemu/coroutine.h
+++ b/include/qemu/coroutine.h
@@ -16,6 +16,7 @@
 #define QEMU_COROUTINE_H
 
 #include "qemu/coroutine-core.h"
+#include "qemu/atomic.h"
 #include "qemu/queue.h"
 #include "qemu/timer.h"
 
diff --git a/include/qemu/log.h b/include/qemu/log.h
index e10e24cd4f..60da703e67 100644
--- a/include/qemu/log.h
+++ b/include/qemu/log.h
@@ -37,6 +37,7 @@ bool qemu_log_separate(void);
 #define LOG_PER_THREAD     (1 << 20)
 #define CPU_LOG_TB_VPU     (1 << 21)
 #define LOG_TB_OP_PLUGIN   (1 << 22)
+#define LOG_INVALID_MEM    (1 << 23)
 
 /* Lock/unlock output. */
 
diff --git a/include/qemu/main-loop.h b/include/qemu/main-loop.h
index 3935a57339..4e2436b196 100644
--- a/include/qemu/main-loop.h
+++ b/include/qemu/main-loop.h
@@ -27,7 +27,7 @@
 
 #include "block/aio.h"
 #include "qom/object.h"
-#include "sysemu/event-loop-base.h"
+#include "system/event-loop-base.h"
 
 #define SIG_IPI SIGUSR1
 
diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index fdff07fd99..b94fb5fab8 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -8,7 +8,7 @@
  * To avoid getting into possible circular include dependencies, this
  * file should not include any other QEMU headers, with the exceptions
  * of config-host.h, config-target.h, qemu/compiler.h,
- * sysemu/os-posix.h, sysemu/os-win32.h, glib-compat.h and
+ * system/os-posix.h, system/os-win32.h, glib-compat.h and
  * qemu/typedefs.h, all of which are doing a similar job to this file
  * and are under similar constraints.
  *
@@ -128,7 +128,7 @@ QEMU_EXTERN_C int daemon(int, int);
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <assert.h>
-/* setjmp must be declared before sysemu/os-win32.h
+/* setjmp must be declared before system/os-win32.h
  * because it is redefined there. */
 #include <setjmp.h>
 #include <signal.h>
@@ -161,11 +161,11 @@ QEMU_EXTERN_C int daemon(int, int);
 #include "glib-compat.h"
 
 #ifdef _WIN32
-#include "sysemu/os-win32.h"
+#include "system/os-win32.h"
 #endif
 
 #ifdef CONFIG_POSIX
-#include "sysemu/os-posix.h"
+#include "system/os-posix.h"
 #endif
 
 #ifdef __cplusplus
diff --git a/include/qom/object.h b/include/qom/object.h
index a201c9712a..95d6e064d9 100644
--- a/include/qom/object.h
+++ b/include/qom/object.h
@@ -26,6 +26,7 @@ typedef struct InterfaceClass InterfaceClass;
 typedef struct InterfaceInfo InterfaceInfo;
 
 #define TYPE_OBJECT "object"
+#define TYPE_CONTAINER "container"
 
 typedef struct ObjectProperty ObjectProperty;
 
@@ -2019,6 +2020,18 @@ int object_child_foreach_recursive(Object *obj,
 Object *container_get(Object *root, const char *path);
 
 /**
+ * object_property_add_new_container:
+ * @obj: the parent object
+ * @name: the name of the parent object's property to add
+ *
+ * Add a newly created container object to a parent object.
+ *
+ * Returns: the newly created container object.  Its reference count is 1,
+ * and the reference is owned by the parent object.
+ */
+Object *object_property_add_new_container(Object *obj, const char *name);
+
+/**
  * object_property_help:
  * @name: the name of the property
  * @type: the type of the property
diff --git a/include/sysemu/accel-blocker.h b/include/system/accel-blocker.h
index f07f368358..e10099d6a9 100644
--- a/include/sysemu/accel-blocker.h
+++ b/include/system/accel-blocker.h
@@ -14,7 +14,7 @@
 #ifndef ACCEL_BLOCKER_H
 #define ACCEL_BLOCKER_H
 
-#include "sysemu/cpus.h"
+#include "system/cpus.h"
 
 void accel_blocker_init(void);
 
diff --git a/include/sysemu/accel-ops.h b/include/system/accel-ops.h
index a088672230..137fb96d44 100644
--- a/include/sysemu/accel-ops.h
+++ b/include/system/accel-ops.h
@@ -10,7 +10,7 @@
 #ifndef ACCEL_OPS_H
 #define ACCEL_OPS_H
 
-#include "exec/cpu-common.h"
+#include "exec/vaddr.h"
 #include "qom/object.h"
 
 #define ACCEL_OPS_SUFFIX "-ops"
diff --git a/include/sysemu/arch_init.h b/include/system/arch_init.h
index 5b1c1026f3..5b1c1026f3 100644
--- a/include/sysemu/arch_init.h
+++ b/include/system/arch_init.h
diff --git a/include/sysemu/balloon.h b/include/system/balloon.h
index 867687b73a..867687b73a 100644
--- a/include/sysemu/balloon.h
+++ b/include/system/balloon.h
diff --git a/include/sysemu/block-backend-common.h b/include/system/block-backend-common.h
index 780cea7305..780cea7305 100644
--- a/include/sysemu/block-backend-common.h
+++ b/include/system/block-backend-common.h
diff --git a/include/sysemu/block-backend-global-state.h b/include/system/block-backend-global-state.h
index 9cc9b008ec..9cc9b008ec 100644
--- a/include/sysemu/block-backend-global-state.h
+++ b/include/system/block-backend-global-state.h
diff --git a/include/sysemu/block-backend-io.h b/include/system/block-backend-io.h
index d174275a5c..d174275a5c 100644
--- a/include/sysemu/block-backend-io.h
+++ b/include/system/block-backend-io.h
diff --git a/include/sysemu/block-backend.h b/include/system/block-backend.h
index 038be9fc40..038be9fc40 100644
--- a/include/sysemu/block-backend.h
+++ b/include/system/block-backend.h
diff --git a/include/sysemu/block-ram-registrar.h b/include/system/block-ram-registrar.h
index d8b2f7942b..d8b2f7942b 100644
--- a/include/sysemu/block-ram-registrar.h
+++ b/include/system/block-ram-registrar.h
diff --git a/include/sysemu/blockdev.h b/include/system/blockdev.h
index 3211b16513..3211b16513 100644
--- a/include/sysemu/blockdev.h
+++ b/include/system/blockdev.h
diff --git a/include/exec/confidential-guest-support.h b/include/system/confidential-guest-support.h
index 02dc4e518f..b68c4bebbc 100644
--- a/include/exec/confidential-guest-support.h
+++ b/include/system/confidential-guest-support.h
@@ -18,7 +18,9 @@
 #ifndef QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
 #define QEMU_CONFIDENTIAL_GUEST_SUPPORT_H
 
-#ifndef CONFIG_USER_ONLY
+#ifdef CONFIG_USER_ONLY
+#error Cannot include system/confidential-guest-support.h from user emulation
+#endif
 
 #include "qom/object.h"
 
@@ -94,6 +96,4 @@ static inline int confidential_guest_kvm_reset(ConfidentialGuestSupport *cgs,
     return 0;
 }
 
-#endif /* !CONFIG_USER_ONLY */
-
 #endif /* QEMU_CONFIDENTIAL_GUEST_SUPPORT_H */
diff --git a/include/sysemu/cpu-throttle.h b/include/system/cpu-throttle.h
index 420702b8d3..44bf6a5389 100644
--- a/include/sysemu/cpu-throttle.h
+++ b/include/system/cpu-throttle.h
@@ -16,8 +16,8 @@
  * <http://www.gnu.org/licenses/gpl-2.0.html>
  */
 
-#ifndef SYSEMU_CPU_THROTTLE_H
-#define SYSEMU_CPU_THROTTLE_H
+#ifndef SYSTEM_CPU_THROTTLE_H
+#define SYSTEM_CPU_THROTTLE_H
 
 #include "qemu/timer.h"
 
@@ -79,4 +79,4 @@ void cpu_throttle_dirty_sync_timer_tick(void *opaque);
  */
 void cpu_throttle_dirty_sync_timer(bool enable);
 
-#endif /* SYSEMU_CPU_THROTTLE_H */
+#endif /* SYSTEM_CPU_THROTTLE_H */
diff --git a/include/sysemu/cpu-timers-internal.h b/include/system/cpu-timers-internal.h
index 94bb7394c5..94bb7394c5 100644
--- a/include/sysemu/cpu-timers-internal.h
+++ b/include/system/cpu-timers-internal.h
diff --git a/include/sysemu/cpu-timers.h b/include/system/cpu-timers.h
index 7bfa960fbd..64ae54f6d6 100644
--- a/include/sysemu/cpu-timers.h
+++ b/include/system/cpu-timers.h
@@ -7,8 +7,8 @@
  * See the COPYING file in the top-level directory.
  *
  */
-#ifndef SYSEMU_CPU_TIMERS_H
-#define SYSEMU_CPU_TIMERS_H
+#ifndef SYSTEM_CPU_TIMERS_H
+#define SYSTEM_CPU_TIMERS_H
 
 #include "qemu/timer.h"
 
@@ -101,4 +101,4 @@ int64_t cpus_get_virtual_clock(void);
 void cpus_set_virtual_clock(int64_t new_time);
 int64_t cpus_get_elapsed_ticks(void);
 
-#endif /* SYSEMU_CPU_TIMERS_H */
+#endif /* SYSTEM_CPU_TIMERS_H */
diff --git a/include/sysemu/cpus.h b/include/system/cpus.h
index b4a566cfe7..3d8fd368f3 100644
--- a/include/sysemu/cpus.h
+++ b/include/system/cpus.h
@@ -1,7 +1,7 @@
 #ifndef QEMU_CPUS_H
 #define QEMU_CPUS_H
 
-#include "sysemu/accel-ops.h"
+#include "system/accel-ops.h"
 
 /* register accel-specific operations */
 void cpus_register_accel(const AccelOpsClass *i);
diff --git a/include/sysemu/cryptodev-vhost-user.h b/include/system/cryptodev-vhost-user.h
index 60710502c2..5138c146fa 100644
--- a/include/sysemu/cryptodev-vhost-user.h
+++ b/include/system/cryptodev-vhost-user.h
@@ -24,7 +24,7 @@
 #ifndef CRYPTODEV_VHOST_USER_H
 #define CRYPTODEV_VHOST_USER_H
 
-#include "sysemu/cryptodev-vhost.h"
+#include "system/cryptodev-vhost.h"
 
 #define VHOST_USER_MAX_AUTH_KEY_LEN    512
 #define VHOST_USER_MAX_CIPHER_KEY_LEN  64
diff --git a/include/sysemu/cryptodev-vhost.h b/include/system/cryptodev-vhost.h
index 4c3c22acae..b0bb09e70a 100644
--- a/include/sysemu/cryptodev-vhost.h
+++ b/include/system/cryptodev-vhost.h
@@ -28,7 +28,7 @@
 #include "hw/virtio/vhost-backend.h"
 #include "chardev/char.h"
 
-#include "sysemu/cryptodev.h"
+#include "system/cryptodev.h"
 
 
 typedef struct CryptoDevBackendVhostOptions {
diff --git a/include/sysemu/cryptodev.h b/include/system/cryptodev.h
index b20822df0d..b20822df0d 100644
--- a/include/sysemu/cryptodev.h
+++ b/include/system/cryptodev.h
diff --git a/include/sysemu/device_tree.h b/include/system/device_tree.h
index eb601522f8..eb601522f8 100644
--- a/include/sysemu/device_tree.h
+++ b/include/system/device_tree.h
diff --git a/include/sysemu/dirtylimit.h b/include/system/dirtylimit.h
index d11ebbbbdb..d11ebbbbdb 100644
--- a/include/sysemu/dirtylimit.h
+++ b/include/system/dirtylimit.h
diff --git a/include/sysemu/dirtyrate.h b/include/system/dirtyrate.h
index 20813f303f..20813f303f 100644
--- a/include/sysemu/dirtyrate.h
+++ b/include/system/dirtyrate.h
diff --git a/include/sysemu/dma.h b/include/system/dma.h
index 5a49a30628..5a49a30628 100644
--- a/include/sysemu/dma.h
+++ b/include/system/dma.h
diff --git a/include/sysemu/dump-arch.h b/include/system/dump-arch.h
index 743916e46c..743916e46c 100644
--- a/include/sysemu/dump-arch.h
+++ b/include/system/dump-arch.h
diff --git a/include/sysemu/dump.h b/include/system/dump.h
index d702854853..607bd7b220 100644
--- a/include/sysemu/dump.h
+++ b/include/system/dump.h
@@ -39,8 +39,8 @@
 #define DUMP_LEVEL                  (1)
 #define DISKDUMP_HEADER_BLOCKS      (1)
 
-#include "sysemu/dump-arch.h"
-#include "sysemu/memory_mapping.h"
+#include "system/dump-arch.h"
+#include "system/memory_mapping.h"
 
 typedef struct QEMU_PACKED MakedumpfileHeader {
     char signature[16];     /* = "makedumpfile" */
diff --git a/include/sysemu/event-loop-base.h b/include/system/event-loop-base.h
index a6c24f1351..a6c24f1351 100644
--- a/include/sysemu/event-loop-base.h
+++ b/include/system/event-loop-base.h
diff --git a/include/sysemu/host_iommu_device.h b/include/system/host_iommu_device.h
index 809cced4ba..809cced4ba 100644
--- a/include/sysemu/host_iommu_device.h
+++ b/include/system/host_iommu_device.h
diff --git a/include/sysemu/hostmem.h b/include/system/hostmem.h
index 67f45abe39..5c21ca55c0 100644
--- a/include/sysemu/hostmem.h
+++ b/include/system/hostmem.h
@@ -10,10 +10,10 @@
  * See the COPYING file in the top-level directory.
  */
 
-#ifndef SYSEMU_HOSTMEM_H
-#define SYSEMU_HOSTMEM_H
+#ifndef SYSTEM_HOSTMEM_H
+#define SYSTEM_HOSTMEM_H
 
-#include "sysemu/numa.h"
+#include "system/numa.h"
 #include "qapi/qapi-types-machine.h"
 #include "qom/object.h"
 #include "exec/memory.h"
diff --git a/include/sysemu/hvf.h b/include/system/hvf.h
index 730f927f03..730f927f03 100644
--- a/include/sysemu/hvf.h
+++ b/include/system/hvf.h
diff --git a/include/sysemu/hvf_int.h b/include/system/hvf_int.h
index 42ae18433f..42ae18433f 100644
--- a/include/sysemu/hvf_int.h
+++ b/include/system/hvf_int.h
diff --git a/include/sysemu/hw_accel.h b/include/system/hw_accel.h
index c71b77e71f..380e9e640b 100644
--- a/include/sysemu/hw_accel.h
+++ b/include/system/hw_accel.h
@@ -12,10 +12,10 @@
 #define QEMU_HW_ACCEL_H
 
 #include "hw/core/cpu.h"
-#include "sysemu/kvm.h"
-#include "sysemu/hvf.h"
-#include "sysemu/whpx.h"
-#include "sysemu/nvmm.h"
+#include "system/kvm.h"
+#include "system/hvf.h"
+#include "system/whpx.h"
+#include "system/nvmm.h"
 
 void cpu_synchronize_state(CPUState *cpu);
 void cpu_synchronize_post_reset(CPUState *cpu);
diff --git a/include/sysemu/iommufd.h b/include/system/iommufd.h
index 4c4886c778..cbab75bfbf 100644
--- a/include/sysemu/iommufd.h
+++ b/include/system/iommufd.h
@@ -11,13 +11,13 @@
  * SPDX-License-Identifier: GPL-2.0-or-later
  */
 
-#ifndef SYSEMU_IOMMUFD_H
-#define SYSEMU_IOMMUFD_H
+#ifndef SYSTEM_IOMMUFD_H
+#define SYSTEM_IOMMUFD_H
 
 #include "qom/object.h"
 #include "exec/hwaddr.h"
 #include "exec/cpu-common.h"
-#include "sysemu/host_iommu_device.h"
+#include "system/host_iommu_device.h"
 
 #define TYPE_IOMMUFD_BACKEND "iommufd"
 OBJECT_DECLARE_TYPE(IOMMUFDBackend, IOMMUFDBackendClass, IOMMUFD_BACKEND)
diff --git a/include/sysemu/iothread.h b/include/system/iothread.h
index 2102a90eca..d95c17a645 100644
--- a/include/sysemu/iothread.h
+++ b/include/system/iothread.h
@@ -17,7 +17,7 @@
 #include "block/aio.h"
 #include "qemu/thread.h"
 #include "qom/object.h"
-#include "sysemu/event-loop-base.h"
+#include "system/event-loop-base.h"
 
 #define TYPE_IOTHREAD "iothread"
 
diff --git a/include/sysemu/kvm.h b/include/system/kvm.h
index ab17c09a55..ab17c09a55 100644
--- a/include/sysemu/kvm.h
+++ b/include/system/kvm.h
diff --git a/include/sysemu/kvm_int.h b/include/system/kvm_int.h
index a1e72763da..4de6106869 100644
--- a/include/sysemu/kvm_int.h
+++ b/include/system/kvm_int.h
@@ -13,7 +13,7 @@
 #include "qapi/qapi-types-common.h"
 #include "qemu/accel.h"
 #include "qemu/queue.h"
-#include "sysemu/kvm.h"
+#include "system/kvm.h"
 #include "hw/boards.h"
 #include "hw/i386/topology.h"
 #include "io/channel-socket.h"
diff --git a/include/sysemu/kvm_xen.h b/include/system/kvm_xen.h
index 961c702c4e..7d0e69f133 100644
--- a/include/sysemu/kvm_xen.h
+++ b/include/system/kvm_xen.h
@@ -9,8 +9,8 @@
  *
  */
 
-#ifndef QEMU_SYSEMU_KVM_XEN_H
-#define QEMU_SYSEMU_KVM_XEN_H
+#ifndef QEMU_SYSTEM_KVM_XEN_H
+#define QEMU_SYSTEM_KVM_XEN_H
 
 /* The KVM API uses these to indicate "no GPA" or "no GFN" */
 #define INVALID_GPA UINT64_MAX
@@ -41,4 +41,4 @@ uint16_t kvm_xen_get_evtchn_max_pirq(void);
 #define XEN_SPECIAL_PFN(x) ((XEN_SPECIAL_AREA_ADDR >> TARGET_PAGE_BITS) + \
                             XEN_SPECIALPAGE_##x)
 
-#endif /* QEMU_SYSEMU_KVM_XEN_H */
+#endif /* QEMU_SYSTEM_KVM_XEN_H */
diff --git a/include/sysemu/memory_mapping.h b/include/system/memory_mapping.h
index 021e0a6230..021e0a6230 100644
--- a/include/sysemu/memory_mapping.h
+++ b/include/system/memory_mapping.h
diff --git a/include/sysemu/numa.h b/include/system/numa.h
index 0467614147..1044b0eb6e 100644
--- a/include/sysemu/numa.h
+++ b/include/system/numa.h
@@ -1,9 +1,8 @@
-#ifndef SYSEMU_NUMA_H
-#define SYSEMU_NUMA_H
+#ifndef SYSTEM_NUMA_H
+#define SYSTEM_NUMA_H
 
 #include "qemu/bitmap.h"
 #include "qapi/qapi-types-machine.h"
-#include "exec/cpu-common.h"
 
 struct CPUArchId;
 
diff --git a/include/sysemu/nvmm.h b/include/system/nvmm.h
index 6971ddb3a5..6971ddb3a5 100644
--- a/include/sysemu/nvmm.h
+++ b/include/system/nvmm.h
diff --git a/include/sysemu/os-posix.h b/include/system/os-posix.h
index b881ac6c6f..b881ac6c6f 100644
--- a/include/sysemu/os-posix.h
+++ b/include/system/os-posix.h
diff --git a/include/sysemu/os-win32.h b/include/system/os-win32.h
index b82a5d3ad9..b82a5d3ad9 100644
--- a/include/sysemu/os-win32.h
+++ b/include/system/os-win32.h
diff --git a/include/sysemu/qtest.h b/include/system/qtest.h
index c161d75165..c161d75165 100644
--- a/include/sysemu/qtest.h
+++ b/include/system/qtest.h
diff --git a/include/sysemu/replay.h b/include/system/replay.h
index cba74fa9bc..8926d8cf4b 100644
--- a/include/sysemu/replay.h
+++ b/include/system/replay.h
@@ -8,8 +8,8 @@
  * See the COPYING file in the top-level directory.
  *
  */
-#ifndef SYSEMU_REPLAY_H
-#define SYSEMU_REPLAY_H
+#ifndef SYSTEM_REPLAY_H
+#define SYSTEM_REPLAY_H
 
 #ifdef CONFIG_USER_ONLY
 #error Cannot include this header from user emulation
diff --git a/include/sysemu/reset.h b/include/system/reset.h
index 0e297c0e02..97131d94cf 100644
--- a/include/sysemu/reset.h
+++ b/include/system/reset.h
@@ -24,8 +24,8 @@
  * THE SOFTWARE.
  */
 
-#ifndef QEMU_SYSEMU_RESET_H
-#define QEMU_SYSEMU_RESET_H
+#ifndef QEMU_SYSTEM_RESET_H
+#define QEMU_SYSTEM_RESET_H
 
 #include "hw/resettable.h"
 #include "qapi/qapi-events-run-state.h"
diff --git a/include/sysemu/rng-random.h b/include/system/rng-random.h
index 0fdc6c6974..0fdc6c6974 100644
--- a/include/sysemu/rng-random.h
+++ b/include/system/rng-random.h
diff --git a/include/sysemu/rng.h b/include/system/rng.h
index e383f87d20..e383f87d20 100644
--- a/include/sysemu/rng.h
+++ b/include/system/rng.h
diff --git a/include/sysemu/rtc.h b/include/system/rtc.h
index 0fc8ad6fdf..cde83fab15 100644
--- a/include/sysemu/rtc.h
+++ b/include/system/rtc.h
@@ -22,8 +22,8 @@
  * THE SOFTWARE.
  */
 
-#ifndef SYSEMU_RTC_H
-#define SYSEMU_RTC_H
+#ifndef SYSTEM_RTC_H
+#define SYSTEM_RTC_H
 
 /**
  * qemu_get_timedate: Get the current RTC time
diff --git a/include/sysemu/runstate-action.h b/include/system/runstate-action.h
index db4e3099ae..db4e3099ae 100644
--- a/include/sysemu/runstate-action.h
+++ b/include/system/runstate-action.h
diff --git a/include/sysemu/runstate.h b/include/system/runstate.h
index 11c7ff3ffb..bffc3719d4 100644
--- a/include/sysemu/runstate.h
+++ b/include/system/runstate.h
@@ -1,5 +1,5 @@
-#ifndef SYSEMU_RUNSTATE_H
-#define SYSEMU_RUNSTATE_H
+#ifndef SYSTEM_RUNSTATE_H
+#define SYSTEM_RUNSTATE_H
 
 #include "qapi/qapi-types-run-state.h"
 #include "qemu/notify.h"
diff --git a/include/sysemu/seccomp.h b/include/system/seccomp.h
index fe859894f6..fe859894f6 100644
--- a/include/sysemu/seccomp.h
+++ b/include/system/seccomp.h
diff --git a/include/sysemu/spdm-socket.h b/include/system/spdm-socket.h
index 5d8bd9aa4e..5d8bd9aa4e 100644
--- a/include/sysemu/spdm-socket.h
+++ b/include/system/spdm-socket.h
diff --git a/include/sysemu/stats.h b/include/system/stats.h
index 42c236c795..42c236c795 100644
--- a/include/sysemu/stats.h
+++ b/include/system/stats.h
diff --git a/include/sysemu/sysemu.h b/include/system/system.h
index 7ec419ce13..5364ad4f27 100644
--- a/include/sysemu/sysemu.h
+++ b/include/system/system.h
@@ -1,5 +1,5 @@
-#ifndef SYSEMU_H
-#define SYSEMU_H
+#ifndef SYSTEM_H
+#define SYSTEM_H
 /* Misc. things related to the system emulator.  */
 
 #include "qemu/timer.h"
diff --git a/include/sysemu/tcg.h b/include/system/tcg.h
index 5e2ca9aab3..73229648c6 100644
--- a/include/sysemu/tcg.h
+++ b/include/system/tcg.h
@@ -7,8 +7,8 @@
 
 /* header to be included in non-TCG-specific code */
 
-#ifndef SYSEMU_TCG_H
-#define SYSEMU_TCG_H
+#ifndef SYSTEM_TCG_H
+#define SYSTEM_TCG_H
 
 #ifdef CONFIG_TCG
 extern bool tcg_allowed;
diff --git a/include/sysemu/tpm.h b/include/system/tpm.h
index 1ee568b3b6..1ee568b3b6 100644
--- a/include/sysemu/tpm.h
+++ b/include/system/tpm.h
diff --git a/include/sysemu/tpm_backend.h b/include/system/tpm_backend.h
index 7fabafefee..01b11f629c 100644
--- a/include/sysemu/tpm_backend.h
+++ b/include/system/tpm_backend.h
@@ -15,7 +15,7 @@
 
 #include "qom/object.h"
 #include "qemu/option.h"
-#include "sysemu/tpm.h"
+#include "system/tpm.h"
 #include "qapi/error.h"
 
 #ifdef CONFIG_TPM
diff --git a/include/sysemu/tpm_util.h b/include/system/tpm_util.h
index 08f05172a7..1858693225 100644
--- a/include/sysemu/tpm_util.h
+++ b/include/system/tpm_util.h
@@ -19,10 +19,10 @@
  * License along with this library; if not, see <http://www.gnu.org/licenses/>
  */
 
-#ifndef SYSEMU_TPM_UTIL_H
-#define SYSEMU_TPM_UTIL_H
+#ifndef SYSTEM_TPM_UTIL_H
+#define SYSTEM_TPM_UTIL_H
 
-#include "sysemu/tpm.h"
+#include "system/tpm.h"
 #include "qemu/bswap.h"
 
 void tpm_util_write_fatal_error_response(uint8_t *out, uint32_t out_len);
@@ -69,4 +69,4 @@ static inline void tpm_cmd_set_error(void *b, uint32_t error)
 void tpm_util_show_buffer(const unsigned char *buffer,
                           size_t buffer_size, const char *string);
 
-#endif /* SYSEMU_TPM_UTIL_H */
+#endif /* SYSTEM_TPM_UTIL_H */
diff --git a/include/sysemu/vhost-user-backend.h b/include/system/vhost-user-backend.h
index 327b0b84f1..327b0b84f1 100644
--- a/include/sysemu/vhost-user-backend.h
+++ b/include/system/vhost-user-backend.h
diff --git a/include/sysemu/watchdog.h b/include/system/watchdog.h
index 745c89b02b..745c89b02b 100644
--- a/include/sysemu/watchdog.h
+++ b/include/system/watchdog.h
diff --git a/include/sysemu/whpx.h b/include/system/whpx.h
index 00ff409b68..00ff409b68 100644
--- a/include/sysemu/whpx.h
+++ b/include/system/whpx.h
diff --git a/include/sysemu/xen-mapcache.h b/include/system/xen-mapcache.h
index b5e3ea1bc0..b68f196ddd 100644
--- a/include/sysemu/xen-mapcache.h
+++ b/include/system/xen-mapcache.h
@@ -10,7 +10,7 @@
 #define XEN_MAPCACHE_H
 
 #include "exec/cpu-common.h"
-#include "sysemu/xen.h"
+#include "system/xen.h"
 
 typedef hwaddr (*phys_offset_to_gaddr_t)(hwaddr phys_offset,
                                          ram_addr_t size);
diff --git a/include/sysemu/xen.h b/include/system/xen.h
index d70eacfbe2..990c19a8ef 100644
--- a/include/sysemu/xen.h
+++ b/include/system/xen.h
@@ -7,11 +7,11 @@
 
 /* header to be included in non-Xen-specific code */
 
-#ifndef SYSEMU_XEN_H
-#define SYSEMU_XEN_H
+#ifndef SYSTEM_XEN_H
+#define SYSTEM_XEN_H
 
 #ifdef CONFIG_USER_ONLY
-#error Cannot include sysemu/xen.h from user emulation
+#error Cannot include system/xen.h from user emulation
 #endif
 
 #include "exec/cpu-common.h"
diff --git a/include/user/cpu_loop.h b/include/user/cpu_loop.h
new file mode 100644
index 0000000000..589c66543f
--- /dev/null
+++ b/include/user/cpu_loop.h
@@ -0,0 +1,90 @@
+/*
+ *  qemu user cpu loop
+ *
+ *  Copyright (c) 2003-2008 Fabrice Bellard
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef USER_CPU_LOOP_H
+#define USER_CPU_LOOP_H
+
+#include "exec/abi_ptr.h"
+#include "exec/mmu-access-type.h"
+#include "exec/log.h"
+#include "exec/target_long.h"
+#include "special-errno.h"
+
+/**
+ * adjust_signal_pc:
+ * @pc: raw pc from the host signal ucontext_t.
+ * @is_write: host memory operation was write, or read-modify-write.
+ *
+ * Alter @pc as required for unwinding.  Return the type of the
+ * guest memory access -- host reads may be for guest execution.
+ */
+MMUAccessType adjust_signal_pc(uintptr_t *pc, bool is_write);
+
+/**
+ * handle_sigsegv_accerr_write:
+ * @cpu: the cpu context
+ * @old_set: the sigset_t from the signal ucontext_t
+ * @host_pc: the host pc, adjusted for the signal
+ * @host_addr: the host address of the fault
+ *
+ * Return true if the write fault has been handled, and should be re-tried.
+ */
+bool handle_sigsegv_accerr_write(CPUState *cpu, sigset_t *old_set,
+                                 uintptr_t host_pc, abi_ptr guest_addr);
+
+/**
+ * cpu_loop_exit_sigsegv:
+ * @cpu: the cpu context
+ * @addr: the guest address of the fault
+ * @access_type: access was read/write/execute
+ * @maperr: true for invalid page, false for permission fault
+ * @ra: host pc for unwinding
+ *
+ * Use the TCGCPUOps hook to record cpu state, do guest operating system
+ * specific things to raise SIGSEGV, and jump to the main cpu loop.
+ */
+G_NORETURN void cpu_loop_exit_sigsegv(CPUState *cpu, target_ulong addr,
+                                      MMUAccessType access_type,
+                                      bool maperr, uintptr_t ra);
+
+/**
+ * cpu_loop_exit_sigbus:
+ * @cpu: the cpu context
+ * @addr: the guest address of the alignment fault
+ * @access_type: access was read/write/execute
+ * @ra: host pc for unwinding
+ *
+ * Use the TCGCPUOps hook to record cpu state, do guest operating system
+ * specific things to raise SIGBUS, and jump to the main cpu loop.
+ */
+G_NORETURN void cpu_loop_exit_sigbus(CPUState *cpu, target_ulong addr,
+                                     MMUAccessType access_type,
+                                     uintptr_t ra);
+
+G_NORETURN void cpu_loop(CPUArchState *env);
+
+void target_exception_dump(CPUArchState *env, const char *fmt, int code);
+#define EXCP_DUMP(env, fmt, code) \
+    target_exception_dump(env, fmt, code)
+
+typedef struct target_pt_regs target_pt_regs;
+
+void target_cpu_copy_regs(CPUArchState *env, target_pt_regs *regs);
+
+#endif
diff --git a/include/user/guest-host.h b/include/user/guest-host.h
new file mode 100644
index 0000000000..8d2079bbbb
--- /dev/null
+++ b/include/user/guest-host.h
@@ -0,0 +1,87 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+/*
+ * guest <-> host helpers.
+ *
+ *  Copyright (c) 2003 Fabrice Bellard
+ */
+
+#ifndef USER_GUEST_HOST_H
+#define USER_GUEST_HOST_H
+
+#include "user/abitypes.h"
+#include "user/guest-base.h"
+#include "cpu.h"
+
+/*
+ * If non-zero, the guest virtual address space is a contiguous subset
+ * of the host virtual address space, i.e. '-R reserved_va' is in effect
+ * either from the command-line or by default.  The value is the last
+ * byte of the guest address space e.g. UINT32_MAX.
+ *
+ * If zero, the host and guest virtual address spaces are intermingled.
+ */
+extern unsigned long reserved_va;
+
+/*
+ * Limit the guest addresses as best we can.
+ *
+ * When not using -R reserved_va, we cannot really limit the guest
+ * to less address space than the host.  For 32-bit guests, this
+ * acts as a sanity check that we're not giving the guest an address
+ * that it cannot even represent.  For 64-bit guests... the address
+ * might not be what the real kernel would give, but it is at least
+ * representable in the guest.
+ *
+ * TODO: Improve address allocation to avoid this problem, and to
+ * avoid setting bits at the top of guest addresses that might need
+ * to be used for tags.
+ */
+#define GUEST_ADDR_MAX_                                                 \
+    ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ?  \
+     UINT32_MAX : ~0ul)
+#define GUEST_ADDR_MAX    (reserved_va ? : GUEST_ADDR_MAX_)
+
+#ifndef TARGET_TAGGED_ADDRESSES
+static inline abi_ptr cpu_untagged_addr(CPUState *cs, abi_ptr x)
+{
+    return x;
+}
+#endif
+
+/* All direct uses of g2h and h2g need to go away for usermode softmmu.  */
+static inline void *g2h_untagged(abi_ptr x)
+{
+    return (void *)((uintptr_t)(x) + guest_base);
+}
+
+static inline void *g2h(CPUState *cs, abi_ptr x)
+{
+    return g2h_untagged(cpu_untagged_addr(cs, x));
+}
+
+static inline bool guest_addr_valid_untagged(abi_ulong x)
+{
+    return x <= GUEST_ADDR_MAX;
+}
+
+static inline bool guest_range_valid_untagged(abi_ulong start, abi_ulong len)
+{
+    return len - 1 <= GUEST_ADDR_MAX && start <= GUEST_ADDR_MAX - len + 1;
+}
+
+#define h2g_valid(x) \
+    (HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS || \
+     (uintptr_t)(x) - guest_base <= GUEST_ADDR_MAX)
+
+#define h2g_nocheck(x) ({ \
+    uintptr_t __ret = (uintptr_t)(x) - guest_base; \
+    (abi_ptr)__ret; \
+})
+
+#define h2g(x) ({ \
+    /* Check if given address fits target address space */ \
+    assert(h2g_valid(x)); \
+    h2g_nocheck(x); \
+})
+
+#endif
diff --git a/include/user/page-protection.h b/include/user/page-protection.h
new file mode 100644
index 0000000000..51daa18648
--- /dev/null
+++ b/include/user/page-protection.h
@@ -0,0 +1,99 @@
+/*
+ * QEMU page protection declarations.
+ *
+ *  Copyright (c) 2003 Fabrice Bellard
+ *
+ * SPDX-License-Identifier: LGPL-2.1+
+ */
+#ifndef USER_PAGE_PROTECTION_H
+#define USER_PAGE_PROTECTION_H
+
+#ifndef CONFIG_USER_ONLY
+#error Cannot include this header from system emulation
+#endif
+
+#include "cpu-param.h"
+#include "exec/target_long.h"
+#include "exec/translation-block.h"
+
+void page_protect(tb_page_addr_t page_addr);
+int page_unprotect(tb_page_addr_t address, uintptr_t pc);
+
+int page_get_flags(target_ulong address);
+
+/**
+ * page_set_flags:
+ * @start: first byte of range
+ * @last: last byte of range
+ * @flags: flags to set
+ * Context: holding mmap lock
+ *
+ * Modify the flags of a page and invalidate the code if necessary.
+ * The flag PAGE_WRITE_ORG is positioned automatically depending
+ * on PAGE_WRITE.  The mmap_lock should already be held.
+ */
+void page_set_flags(target_ulong start, target_ulong last, int flags);
+
+void page_reset_target_data(target_ulong start, target_ulong last);
+
+/**
+ * page_check_range
+ * @start: first byte of range
+ * @len: length of range
+ * @flags: flags required for each page
+ *
+ * Return true if every page in [@start, @start+@len) has @flags set.
+ * Return false if any page is unmapped.  Thus testing flags == 0 is
+ * equivalent to testing for flags == PAGE_VALID.
+ */
+bool page_check_range(target_ulong start, target_ulong last, int flags);
+
+/**
+ * page_check_range_empty:
+ * @start: first byte of range
+ * @last: last byte of range
+ * Context: holding mmap lock
+ *
+ * Return true if the entire range [@start, @last] is unmapped.
+ * The memory lock must be held so that the caller will can ensure
+ * the result stays true until a new mapping can be installed.
+ */
+bool page_check_range_empty(target_ulong start, target_ulong last);
+
+/**
+ * page_find_range_empty
+ * @min: first byte of search range
+ * @max: last byte of search range
+ * @len: size of the hole required
+ * @align: alignment of the hole required (power of 2)
+ *
+ * If there is a range [x, x+@len) within [@min, @max] such that
+ * x % @align == 0, then return x.  Otherwise return -1.
+ * The memory lock must be held, as the caller will want to ensure
+ * the returned range stays empty until a new mapping can be installed.
+ */
+target_ulong page_find_range_empty(target_ulong min, target_ulong max,
+                                   target_ulong len, target_ulong align);
+
+/**
+ * page_get_target_data(address)
+ * @address: guest virtual address
+ *
+ * Return TARGET_PAGE_DATA_SIZE bytes of out-of-band data to associate
+ * with the guest page at @address, allocating it if necessary.  The
+ * caller should already have verified that the address is valid.
+ *
+ * The memory will be freed when the guest page is deallocated,
+ * e.g. with the munmap system call.
+ */
+__attribute__((returns_nonnull))
+void *page_get_target_data(target_ulong address);
+
+typedef int (*walk_memory_regions_fn)(void *, target_ulong,
+                                      target_ulong, unsigned long);
+
+int walk_memory_regions(void *, walk_memory_regions_fn);
+
+void page_dump(FILE *f);
+
+#endif