diff --git a/qemu/aarch64.h b/qemu/aarch64.h
index 29d3e5ea..6db1096f 100644
--- a/qemu/aarch64.h
+++ b/qemu/aarch64.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_aarch64
 #define print_type_size print_type_size_aarch64
 #define print_type_str print_type_str_aarch64
+#define probe_access probe_access_aarch64
 #define probe_write probe_write_aarch64
 #define propagateFloat128NaN propagateFloat128NaN_aarch64
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_aarch64
diff --git a/qemu/aarch64eb.h b/qemu/aarch64eb.h
index f32a0af9..7cf4e034 100644
--- a/qemu/aarch64eb.h
+++ b/qemu/aarch64eb.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_aarch64eb
 #define print_type_size print_type_size_aarch64eb
 #define print_type_str print_type_str_aarch64eb
+#define probe_access probe_access_aarch64eb
 #define probe_write probe_write_aarch64eb
 #define propagateFloat128NaN propagateFloat128NaN_aarch64eb
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_aarch64eb
diff --git a/qemu/accel/tcg/cputlb.c b/qemu/accel/tcg/cputlb.c
index edc58b81..0258c427 100644
--- a/qemu/accel/tcg/cputlb.c
+++ b/qemu/accel/tcg/cputlb.c
@@ -703,30 +703,51 @@ static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
     }
 }
 
-/* Probe for whether the specified guest write access is permitted.
- * If it is not permitted then an exception will be taken in the same
- * way as if this were a real write access (and we will not return).
+/*
+ * Probe for whether the specified guest access is permitted. If it is not
+ * permitted then an exception will be taken in the same way as if this
+ * were a real access (and we will not return).
  * If the size is 0 or the page requires I/O access, returns NULL; otherwise,
  * returns the address of the host page similar to tlb_vaddr_to_host().
  */
-void *probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
-                  uintptr_t retaddr)
+void *probe_access(CPUArchState *env, target_ulong addr, int size,
+                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
 {
     uintptr_t index = tlb_index(env, mmu_idx, addr);
     CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
-    target_ulong tlb_addr = tlb_addr_write(entry);
+    target_ulong tlb_addr;
+    size_t elt_ofs;
+    int wp_access;
 
     g_assert(-(addr | TARGET_PAGE_MASK) >= size);
 
+    switch (access_type) {
+    case MMU_DATA_LOAD:
+        elt_ofs = offsetof(CPUTLBEntry, addr_read);
+        wp_access = BP_MEM_READ;
+        break;
+    case MMU_DATA_STORE:
+        elt_ofs = offsetof(CPUTLBEntry, addr_write);
+        wp_access = BP_MEM_WRITE;
+        break;
+    case MMU_INST_FETCH:
+        elt_ofs = offsetof(CPUTLBEntry, addr_code);
+        wp_access = BP_MEM_READ;
+        break;
+    default:
+        g_assert_not_reached();
+    }
+    tlb_addr = tlb_read_ofs(entry, elt_ofs);
+
     if (unlikely(!tlb_hit(tlb_addr, addr))) {
-        if (!VICTIM_TLB_HIT(addr_write, addr)) {
-            tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE,
-                     mmu_idx, retaddr);
+        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs,
+                            addr & TARGET_PAGE_MASK)) {
+            tlb_fill(env_cpu(env), addr, size, access_type, mmu_idx, retaddr);
             /* TLB resize via tlb_fill may have moved the entry. */
             index = tlb_index(env, mmu_idx, addr);
             entry = tlb_entry(env, mmu_idx, addr);
         }
-        tlb_addr = tlb_addr_write(entry);
+        tlb_addr = tlb_read_ofs(entry, elt_ofs);
     }
 
     if (!size) {
@@ -737,7 +758,7 @@ void *probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
     if (tlb_addr & TLB_WATCHPOINT) {
         cpu_check_watchpoint(env_cpu(env), addr, size,
                              env->iotlb[mmu_idx][index].attrs,
-                             BP_MEM_WRITE, retaddr);
+                             wp_access, retaddr);
     }
 
     if (tlb_addr & (TLB_NOTDIRTY | TLB_MMIO)) {
diff --git a/qemu/arm.h b/qemu/arm.h
index 1f980589..88575100 100644
--- a/qemu/arm.h
+++ b/qemu/arm.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_arm
 #define print_type_size print_type_size_arm
 #define print_type_str print_type_str_arm
+#define probe_access probe_access_arm
 #define probe_write probe_write_arm
 #define propagateFloat128NaN propagateFloat128NaN_arm
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_arm
diff --git a/qemu/armeb.h b/qemu/armeb.h
index 72377e9c..849c8890 100644
--- a/qemu/armeb.h
+++ b/qemu/armeb.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_armeb
 #define print_type_size print_type_size_armeb
 #define print_type_str print_type_str_armeb
+#define probe_access probe_access_armeb
 #define probe_write probe_write_armeb
 #define propagateFloat128NaN propagateFloat128NaN_armeb
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_armeb
diff --git a/qemu/header_gen.py b/qemu/header_gen.py
index 5ce8622a..073410e1 100644
--- a/qemu/header_gen.py
+++ b/qemu/header_gen.py
@@ -2263,6 +2263,7 @@ symbols = (
     'print_type_number',
     'print_type_size',
     'print_type_str',
+    'probe_access',
     'probe_write',
     'propagateFloat128NaN',
     'propagateFloat32MulAddNaN',
diff --git a/qemu/include/exec/exec-all.h b/qemu/include/exec/exec-all.h
index dac5e77d..cf193048 100644
--- a/qemu/include/exec/exec-all.h
+++ b/qemu/include/exec/exec-all.h
@@ -213,8 +213,14 @@ static inline void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
 }
 #endif
 
-void *probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
-                  uintptr_t retaddr);
+void *probe_access(CPUArchState *env, target_ulong addr, int size,
+                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr);
+
+static inline void *probe_write(CPUArchState *env, target_ulong addr, int size,
+                                int mmu_idx, uintptr_t retaddr)
+{
+    return probe_access(env, addr, size, MMU_DATA_STORE, mmu_idx, retaddr);
+}
 
 #define CODE_GEN_ALIGN           16 /* must be >= of the size of a icache line */
 
diff --git a/qemu/m68k.h b/qemu/m68k.h
index a9e6e0dd..46f5468f 100644
--- a/qemu/m68k.h
+++ b/qemu/m68k.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_m68k
 #define print_type_size print_type_size_m68k
 #define print_type_str print_type_str_m68k
+#define probe_access probe_access_m68k
 #define probe_write probe_write_m68k
 #define propagateFloat128NaN propagateFloat128NaN_m68k
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_m68k
diff --git a/qemu/mips.h b/qemu/mips.h
index 2eafb370..2d2284fa 100644
--- a/qemu/mips.h
+++ b/qemu/mips.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_mips
 #define print_type_size print_type_size_mips
 #define print_type_str print_type_str_mips
+#define probe_access probe_access_mips
 #define probe_write probe_write_mips
 #define propagateFloat128NaN propagateFloat128NaN_mips
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_mips
diff --git a/qemu/mips64.h b/qemu/mips64.h
index 197181c5..ef16f6bd 100644
--- a/qemu/mips64.h
+++ b/qemu/mips64.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_mips64
 #define print_type_size print_type_size_mips64
 #define print_type_str print_type_str_mips64
+#define probe_access probe_access_mips64
 #define probe_write probe_write_mips64
 #define propagateFloat128NaN propagateFloat128NaN_mips64
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_mips64
diff --git a/qemu/mips64el.h b/qemu/mips64el.h
index 8d8b8f93..4a3e9d2b 100644
--- a/qemu/mips64el.h
+++ b/qemu/mips64el.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_mips64el
 #define print_type_size print_type_size_mips64el
 #define print_type_str print_type_str_mips64el
+#define probe_access probe_access_mips64el
 #define probe_write probe_write_mips64el
 #define propagateFloat128NaN propagateFloat128NaN_mips64el
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_mips64el
diff --git a/qemu/mipsel.h b/qemu/mipsel.h
index 470339b7..4db4a8cf 100644
--- a/qemu/mipsel.h
+++ b/qemu/mipsel.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_mipsel
 #define print_type_size print_type_size_mipsel
 #define print_type_str print_type_str_mipsel
+#define probe_access probe_access_mipsel
 #define probe_write probe_write_mipsel
 #define propagateFloat128NaN propagateFloat128NaN_mipsel
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_mipsel
diff --git a/qemu/powerpc.h b/qemu/powerpc.h
index 59037717..94ff746e 100644
--- a/qemu/powerpc.h
+++ b/qemu/powerpc.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_powerpc
 #define print_type_size print_type_size_powerpc
 #define print_type_str print_type_str_powerpc
+#define probe_access probe_access_powerpc
 #define probe_write probe_write_powerpc
 #define propagateFloat128NaN propagateFloat128NaN_powerpc
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_powerpc
diff --git a/qemu/riscv32.h b/qemu/riscv32.h
index b36d33fb..3806e2f8 100644
--- a/qemu/riscv32.h
+++ b/qemu/riscv32.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_riscv32
 #define print_type_size print_type_size_riscv32
 #define print_type_str print_type_str_riscv32
+#define probe_access probe_access_riscv32
 #define probe_write probe_write_riscv32
 #define propagateFloat128NaN propagateFloat128NaN_riscv32
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_riscv32
diff --git a/qemu/riscv64.h b/qemu/riscv64.h
index f76c3c95..7b0cafbb 100644
--- a/qemu/riscv64.h
+++ b/qemu/riscv64.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_riscv64
 #define print_type_size print_type_size_riscv64
 #define print_type_str print_type_str_riscv64
+#define probe_access probe_access_riscv64
 #define probe_write probe_write_riscv64
 #define propagateFloat128NaN propagateFloat128NaN_riscv64
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_riscv64
diff --git a/qemu/sparc.h b/qemu/sparc.h
index 54f19d4c..d7a4e3f6 100644
--- a/qemu/sparc.h
+++ b/qemu/sparc.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_sparc
 #define print_type_size print_type_size_sparc
 #define print_type_str print_type_str_sparc
+#define probe_access probe_access_sparc
 #define probe_write probe_write_sparc
 #define propagateFloat128NaN propagateFloat128NaN_sparc
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_sparc
diff --git a/qemu/sparc64.h b/qemu/sparc64.h
index acf3900d..cf6c458f 100644
--- a/qemu/sparc64.h
+++ b/qemu/sparc64.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_sparc64
 #define print_type_size print_type_size_sparc64
 #define print_type_str print_type_str_sparc64
+#define probe_access probe_access_sparc64
 #define probe_write probe_write_sparc64
 #define propagateFloat128NaN propagateFloat128NaN_sparc64
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_sparc64
diff --git a/qemu/x86_64.h b/qemu/x86_64.h
index 550d234e..616b9508 100644
--- a/qemu/x86_64.h
+++ b/qemu/x86_64.h
@@ -2257,6 +2257,7 @@
 #define print_type_number print_type_number_x86_64
 #define print_type_size print_type_size_x86_64
 #define print_type_str print_type_str_x86_64
+#define probe_access probe_access_x86_64
 #define probe_write probe_write_x86_64
 #define propagateFloat128NaN propagateFloat128NaN_x86_64
 #define propagateFloat32MulAddNaN propagateFloat32MulAddNaN_x86_64