Patchwork [v6,1/4] hw: introduce standard SD host controller

login
register
mail settings
Submitter Peter A. G. Crosthwaite
Date Aug. 6, 2012, 3:25 a.m.
Message ID <a3cd1ec7a7010f5bc00b6fb7bae00a084d16d310.1344223191.git.peter.crosthwaite@petalogix.com>
Download mbox | patch
Permalink /patch/175251/
State New
Headers show

Comments

Peter A. G. Crosthwaite - Aug. 6, 2012, 3:25 a.m.
From: Igor Mitsyanko <i.mitsyanko@samsung.com>

Device model for standard SD Host Controller Interface (SDHCI) compliant with
version 2.00 of SD association specification.

Signed-off-by: Peter A. G. Crosthwaite <peter.crosthwaite@petalogix.com>
Signed-off-by: Igor Mitsyanko <i.mitsyanko@samsung.com>
---
changed from v5 (Igor):
remove slotint register from SDHCI state;
calculate slotint register value dynamically;
changed from v4 (Igor):
s/sdhc_not_stoped/sdhc_not_stopped/
s/stoped_state/stopped_state/
s/stoped_adma/stopped_adma/
stop insert timer when host controller resets;
stop and free insert timer, free eject_cb and ro_cb in deinit function;
drop redundant "(s->trnmod & SDHC_TRNS_MULTI)" clause;
add comment to Property struct;
changed from v1:
Fixed include guard (Andreas review)
Rebased for new Makefile system
changed from v2:
Typographical fixes for adma implementation
 default-configs/arm-softmmu.mak |    1 +
 hw/Makefile.objs                |    1 +
 hw/sdhci.c                      | 1262 +++++++++++++++++++++++++++++++++++++++
 hw/sdhci.h                      |  309 ++++++++++
 4 files changed, 1573 insertions(+), 0 deletions(-)
 create mode 100644 hw/sdhci.c
 create mode 100644 hw/sdhci.h
Peter Maydell - Aug. 6, 2012, 10:30 a.m.
On 6 August 2012 04:25, Peter A. G. Crosthwaite
<peter.crosthwaite@petalogix.com> wrote:

> +static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
> +{
> +    bool page_aligned = false;
> +    unsigned int n, begin;
> +    const uint16_t block_size = s->blksize & 0x0fff;
> +    uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
> +    uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
> +
> +    /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
> +     * possible stop at page boundary if initial address is not page aligned,
> +     * allow them to work properly */
> +    if ((s->sdmasysad % boundary_chk) == 0) {
> +        page_aligned = true;
> +    }

It's not quite clear to me what this comment is indicating. Is it
a bit of behaviour which is "not specified but behave as hardware
happens to do because software is accidentally relying on it", or
are we behaving differently from hardware here?

> +static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
> +{
> +    uint32_t adma1 = 0;
> +    uint64_t adma2 = 0;
> +    target_phys_addr_t entry_addr = (target_phys_addr_t)s->admasysaddr;
> +
> +    switch (SDHC_DMA_TYPE(s->hostctl)) {
> +    case SDHC_CTRL_ADMA2_32:
> +        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma2, sizeof(adma2));
> +        dscr->addr = (target_phys_addr_t)((adma2 >> 32) & 0xfffffffc);
> +        dscr->length = (uint16_t)((adma2 >> 16) & 0xFFFF);
> +        dscr->attr = (uint8_t)(adma2 & 0x3F);

Does the SDHCI spec define that these words are interpreted like
this regardless of system endianness, or is this an accidental
assumption of little-endian behaviour?

-- PMM
Peter Maydell - Aug. 6, 2012, 11:15 a.m.
On 6 August 2012 04:25, Peter A. G. Crosthwaite
<peter.crosthwaite@petalogix.com> wrote:
> From: Igor Mitsyanko <i.mitsyanko@samsung.com>
>
> Device model for standard SD Host Controller Interface (SDHCI) compliant with
> version 2.00 of SD association specification.

> +typedef struct ADMADescr {
> +    target_phys_addr_t addr;
> +    uint16_t length;
> +    uint8_t attr;
> +    uint8_t incr;
> +} ADMADescr;
> +
> +static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
> +{
> +    uint32_t adma1 = 0;
> +    uint64_t adma2 = 0;
> +    target_phys_addr_t entry_addr = (target_phys_addr_t)s->admasysaddr;
> +
> +    switch (SDHC_DMA_TYPE(s->hostctl)) {
> +    case SDHC_CTRL_ADMA2_32:
> +        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma2, sizeof(adma2));
> +        dscr->addr = (target_phys_addr_t)((adma2 >> 32) & 0xfffffffc);
> +        dscr->length = (uint16_t)((adma2 >> 16) & 0xFFFF);
> +        dscr->attr = (uint8_t)(adma2 & 0x3F);
> +        dscr->incr = 8;
> +        break;
> +    case SDHC_CTRL_ADMA1_32:
> +        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma1, sizeof(adma1));
> +        dscr->addr = (target_phys_addr_t)(adma1 & 0xFFFFF000);
> +        dscr->attr = (uint8_t)(adma1 & 0x3F);
> +        dscr->incr = 4;
> +        if ((dscr->attr & SDHC_ADMA_ATTR_ACT_MASK) == SDHC_ADMA_ATTR_SET_LEN) {
> +            dscr->length = (uint16_t)((adma1 >> 12) & 0xFFFF);
> +        } else {
> +            dscr->length = 4096;
> +        }
> +        break;
> +    case SDHC_CTRL_ADMA2_64:
> +        cpu_physical_memory_read(entry_addr, (uint8_t *)(&dscr->attr), 1);
> +        cpu_physical_memory_read(entry_addr + 2, (uint8_t *)(&dscr->length), 2);
> +        cpu_physical_memory_read(entry_addr + 4, (uint8_t *)(&dscr->addr), 8);
> +        dscr->attr &= 0xfffffff8;
> +        dscr->incr = 12;
> +        break;
> +    }
> +}
> +
> +/* Advanced DMA data transfer */
> +static void sdhci_start_adma(SDHCIState *s)
> +{
> +    unsigned int n, begin, length;
> +    const uint16_t block_size = s->blksize & 0x0fff;
> +    ADMADescr dscr;
> +    s->admaerr &= ~SDHC_ADMAERR_LENGTH_MISMATCH;
> +
> +    while (1) {
> +        get_adma_description(s, &dscr);
> +        DPRINT_L2("ADMA loop: addr=" TARGET_FMT_plx ", len=%d, attr=%x\n",
> +                dscr.addr, dscr.length, dscr.attr);
> +
> +        if ((dscr.attr & SDHC_ADMA_ATTR_VALID) == 0) {
> +            /* Indicate that error occurred in ST_FDS state */
> +            s->admaerr &= ~SDHC_ADMAERR_STATE_MASK;
> +            s->admaerr |= SDHC_ADMAERR_STATE_ST_FDS;
> +
> +            /* Generate ADMA error interrupt */
> +            if (s->errintstsen & SDHC_EISEN_ADMAERR) {
> +                s->errintsts |= SDHC_EIS_ADMAERR;
> +                s->norintsts |= SDHC_NIS_ERR;
> +            }
> +
> +            sdhci_update_irq(s);
> +            break;
> +        }
> +
> +        length = dscr.length ? dscr.length : 65536;
> +
> +        switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
> +        case SDHC_ADMA_ATTR_ACT_TRAN:  /* data transfer */
> +
> +            if (s->trnmod & SDHC_TRNS_READ) {
> +                while (length) {
> +                    if (s->data_count == 0) {
> +                        for (n = 0; n < block_size; n++) {
> +                            s->fifo_buffer[n] = sd_read_data(s->card);
> +                        }
> +                    }
> +                    begin = s->data_count;
> +                    if ((length + begin) < block_size) {
> +                        s->data_count = length + begin;
> +                        length = 0;
> +                     } else {
> +                        s->data_count = block_size;
> +                        length -= block_size - begin;
> +                    }
> +                    cpu_physical_memory_write(dscr.addr, &s->fifo_buffer[begin],
> +                            s->data_count - begin);
> +                    dscr.addr += s->data_count - begin;
> +                    if (s->data_count == block_size) {
> +                        s->data_count = 0;
> +                        if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
> +                            s->blkcnt--;
> +                            if (s->blkcnt == 0) {
> +                                break;
> +                            }
> +                        }
> +                    }
> +                }
> +            } else {
> +                while (length) {
> +                    begin = s->data_count;
> +                    if ((length + begin) < block_size) {
> +                        s->data_count = length + begin;
> +                        length = 0;
> +                     } else {
> +                        s->data_count = block_size;
> +                        length -= block_size - begin;
> +                    }
> +                    cpu_physical_memory_read(dscr.addr,
> +                            &s->fifo_buffer[begin], s->data_count);
> +                    dscr.addr += s->data_count - begin;
> +                    if (s->data_count == block_size) {
> +                        for (n = 0; n < block_size; n++) {
> +                            sd_write_data(s->card, s->fifo_buffer[n]);
> +                        }
> +                        s->data_count = 0;
> +                        if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
> +                            s->blkcnt--;
> +                            if (s->blkcnt == 0) {
> +                                break;
> +                            }
> +                        }
> +                    }
> +                }
> +            }
> +            s->admasysaddr += dscr.incr;
> +            break;
> +        case SDHC_ADMA_ATTR_ACT_LINK:   /* link to next descriptor table */
> +            s->admasysaddr = dscr.addr;
> +            DPRINT_L1("ADMA link: admasysaddr=0x%lx\n", s->admasysaddr);
> +            break;
> +        default:
> +            s->admasysaddr += dscr.incr;
> +            break;
> +        }
> +
> +        /* ADMA transfer terminates if blkcnt == 0 or by END attribute */
> +        if (((s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
> +                    (s->blkcnt == 0)) || (dscr.attr & SDHC_ADMA_ATTR_END)) {
> +            DPRINT_L2("ADMA transfer completed\n");
> +            if (length || ((dscr.attr & SDHC_ADMA_ATTR_END) &&
> +                (s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
> +                s->blkcnt != 0) || ((s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
> +                s->blkcnt == 0 && (dscr.attr & SDHC_ADMA_ATTR_END) == 0)) {
> +                ERRPRINT("SD/MMC host ADMA length mismatch\n");
> +                s->admaerr |= SDHC_ADMAERR_LENGTH_MISMATCH |
> +                        SDHC_ADMAERR_STATE_ST_TFR;
> +                if (s->errintstsen & SDHC_EISEN_ADMAERR) {
> +                    ERRPRINT("Set ADMA error flag\n");
> +                    s->errintsts |= SDHC_EIS_ADMAERR;
> +                    s->norintsts |= SDHC_NIS_ERR;
> +                }
> +
> +                sdhci_update_irq(s);
> +            }
> +            SDHCI_GET_CLASS(s)->end_data_transfer(s);
> +            break;
> +        }
> +
> +        if (dscr.attr & SDHC_ADMA_ATTR_INT) {
> +            DPRINT_L1("ADMA interrupt: admasysaddr=0x%lx\n", s->admasysaddr);
> +            if (s->norintstsen & SDHC_NISEN_DMA) {
> +                s->norintsts |= SDHC_NIS_DMA;
> +            }
> +
> +            sdhci_update_irq(s);
> +            break;
> +        }
> +    }
> +}

So I think the guest can make this loop never terminate if it sets up
a loop of ACT_LINK descriptors, right? I don't know how we should
handle this but I'm pretty sure "make qemu sit there forever not responding
to anything and not resettable" isn't it.

-- PMM
Mitsyanko Igor - Aug. 6, 2012, 11:28 a.m.
On 08/06/2012 02:30 PM, Peter Maydell wrote:
> On 6 August 2012 04:25, Peter A. G. Crosthwaite
> <peter.crosthwaite@petalogix.com> wrote:
>
>> +static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
>> +{
>> +    bool page_aligned = false;
>> +    unsigned int n, begin;
>> +    const uint16_t block_size = s->blksize & 0x0fff;
>> +    uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
>> +    uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
>> +
>> +    /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
>> +     * possible stop at page boundary if initial address is not page aligned,
>> +     * allow them to work properly */
>> +    if ((s->sdmasysad % boundary_chk) == 0) {
>> +        page_aligned = true;
>> +    }
> It's not quite clear to me what this comment is indicating. Is it
> a bit of behaviour which is "not specified but behave as hardware
> happens to do because software is accidentally relying on it", or
> are we behaving differently from hardware here?

Spec states that DMA transfer should stop when controller detects a 
carry out of specified address bits and interrupt should be generated to 
stimulate software to update DMA address register. There's no way to 
disable this behaviour, software can only regulate boundary size through 
bits in BLKSIZE register (4K - 512K). That's how it was implemented 
initially, but it caused u-boot mmc driver (which works fine on real 
hardware) to hang.
The reason for hang is that when u-boot performs large continuous data 
transfer (>512K) to an arbitrary (non page-aligned) address, it doesn't 
care about "stop at page boundary" interrupt at all. It just loops 
forefer, waiting for a DMA transfer completion, which will never 
complete if it stopped at page boundary until software updates address 
register.
The fact that it somehow manages to work on hardware got me thinking 
that it only applies to initially aligned addresses.

>> +static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
>> +{
>> +    uint32_t adma1 = 0;
>> +    uint64_t adma2 = 0;
>> +    target_phys_addr_t entry_addr = (target_phys_addr_t)s->admasysaddr;
>> +
>> +    switch (SDHC_DMA_TYPE(s->hostctl)) {
>> +    case SDHC_CTRL_ADMA2_32:
>> +        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma2, sizeof(adma2));
>> +        dscr->addr = (target_phys_addr_t)((adma2 >> 32) & 0xfffffffc);
>> +        dscr->length = (uint16_t)((adma2 >> 16) & 0xFFFF);
>> +        dscr->attr = (uint8_t)(adma2 & 0x3F);
> Does the SDHCI spec define that these words are interpreted like
> this regardless of system endianness, or is this an accidental
> assumption of little-endian behaviour?

Spec never says it explicitly, but it's quite obvious that descriptor 
table has a little endian format. There is even a comment in linux SDHCI 
driver that says:

     /*
      * The spec does not specify endianness of descriptor table.
      * We currently guess that it is LE.
      */

>
> -- PMM
>
Peter Maydell - Aug. 6, 2012, 11:29 a.m.
On 6 August 2012 12:28, Igor Mitsyanko <i.mitsyanko@samsung.com> wrote:
> On 08/06/2012 02:30 PM, Peter Maydell wrote:
>>> +static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
>>> +{
>>> +    uint32_t adma1 = 0;
>>> +    uint64_t adma2 = 0;
>>> +    target_phys_addr_t entry_addr = (target_phys_addr_t)s->admasysaddr;
>>> +
>>> +    switch (SDHC_DMA_TYPE(s->hostctl)) {
>>> +    case SDHC_CTRL_ADMA2_32:
>>> +        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma2,
>>> sizeof(adma2));
>>> +        dscr->addr = (target_phys_addr_t)((adma2 >> 32) & 0xfffffffc);
>>> +        dscr->length = (uint16_t)((adma2 >> 16) & 0xFFFF);
>>> +        dscr->attr = (uint8_t)(adma2 & 0x3F);
>>
>> Does the SDHCI spec define that these words are interpreted like
>> this regardless of system endianness, or is this an accidental
>> assumption of little-endian behaviour?
>
>
> Spec never says it explicitly, but it's quite obvious that descriptor table
> has a little endian format. There is even a comment in linux SDHCI driver
> that says:
>
>     /*
>      * The spec does not specify endianness of descriptor table.
>      * We currently guess that it is LE.
>      */

OK; we could probably use a similar comment.

-- PMM
Mitsyanko Igor - Aug. 6, 2012, 11:45 a.m.
On 08/06/2012 03:15 PM, Peter Maydell wrote:
> On 6 August 2012 04:25, Peter A. G. Crosthwaite
> <peter.crosthwaite@petalogix.com> wrote:
>> From: Igor Mitsyanko <i.mitsyanko@samsung.com>
>>
>> Device model for standard SD Host Controller Interface (SDHCI) compliant with
>> version 2.00 of SD association specification.
>> +typedef struct ADMADescr {
>> +    target_phys_addr_t addr;
>> +    uint16_t length;
>> +    uint8_t attr;
>> +    uint8_t incr;
>> +} ADMADescr;
>> +
>> +static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
>> +{
>> +    uint32_t adma1 = 0;
>> +    uint64_t adma2 = 0;
>> +    target_phys_addr_t entry_addr = (target_phys_addr_t)s->admasysaddr;
>> +
>> +    switch (SDHC_DMA_TYPE(s->hostctl)) {
>> +    case SDHC_CTRL_ADMA2_32:
>> +        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma2, sizeof(adma2));
>> +        dscr->addr = (target_phys_addr_t)((adma2 >> 32) & 0xfffffffc);
>> +        dscr->length = (uint16_t)((adma2 >> 16) & 0xFFFF);
>> +        dscr->attr = (uint8_t)(adma2 & 0x3F);
>> +        dscr->incr = 8;
>> +        break;
>> +    case SDHC_CTRL_ADMA1_32:
>> +        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma1, sizeof(adma1));
>> +        dscr->addr = (target_phys_addr_t)(adma1 & 0xFFFFF000);
>> +        dscr->attr = (uint8_t)(adma1 & 0x3F);
>> +        dscr->incr = 4;
>> +        if ((dscr->attr & SDHC_ADMA_ATTR_ACT_MASK) == SDHC_ADMA_ATTR_SET_LEN) {
>> +            dscr->length = (uint16_t)((adma1 >> 12) & 0xFFFF);
>> +        } else {
>> +            dscr->length = 4096;
>> +        }
>> +        break;
>> +    case SDHC_CTRL_ADMA2_64:
>> +        cpu_physical_memory_read(entry_addr, (uint8_t *)(&dscr->attr), 1);
>> +        cpu_physical_memory_read(entry_addr + 2, (uint8_t *)(&dscr->length), 2);
>> +        cpu_physical_memory_read(entry_addr + 4, (uint8_t *)(&dscr->addr), 8);
>> +        dscr->attr &= 0xfffffff8;
>> +        dscr->incr = 12;
>> +        break;
>> +    }
>> +}
>> +
>> +/* Advanced DMA data transfer */
>> +static void sdhci_start_adma(SDHCIState *s)
>> +{
>> +    unsigned int n, begin, length;
>> +    const uint16_t block_size = s->blksize & 0x0fff;
>> +    ADMADescr dscr;
>> +    s->admaerr &= ~SDHC_ADMAERR_LENGTH_MISMATCH;
>> +
>> +    while (1) {
>> +        get_adma_description(s, &dscr);
>> +        DPRINT_L2("ADMA loop: addr=" TARGET_FMT_plx ", len=%d, attr=%x\n",
>> +                dscr.addr, dscr.length, dscr.attr);
>> +
>> +        if ((dscr.attr & SDHC_ADMA_ATTR_VALID) == 0) {
>> +            /* Indicate that error occurred in ST_FDS state */
>> +            s->admaerr &= ~SDHC_ADMAERR_STATE_MASK;
>> +            s->admaerr |= SDHC_ADMAERR_STATE_ST_FDS;
>> +
>> +            /* Generate ADMA error interrupt */
>> +            if (s->errintstsen & SDHC_EISEN_ADMAERR) {
>> +                s->errintsts |= SDHC_EIS_ADMAERR;
>> +                s->norintsts |= SDHC_NIS_ERR;
>> +            }
>> +
>> +            sdhci_update_irq(s);
>> +            break;
>> +        }
>> +
>> +        length = dscr.length ? dscr.length : 65536;
>> +
>> +        switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
>> +        case SDHC_ADMA_ATTR_ACT_TRAN:  /* data transfer */
>> +
>> +            if (s->trnmod & SDHC_TRNS_READ) {
>> +                while (length) {
>> +                    if (s->data_count == 0) {
>> +                        for (n = 0; n < block_size; n++) {
>> +                            s->fifo_buffer[n] = sd_read_data(s->card);
>> +                        }
>> +                    }
>> +                    begin = s->data_count;
>> +                    if ((length + begin) < block_size) {
>> +                        s->data_count = length + begin;
>> +                        length = 0;
>> +                     } else {
>> +                        s->data_count = block_size;
>> +                        length -= block_size - begin;
>> +                    }
>> +                    cpu_physical_memory_write(dscr.addr, &s->fifo_buffer[begin],
>> +                            s->data_count - begin);
>> +                    dscr.addr += s->data_count - begin;
>> +                    if (s->data_count == block_size) {
>> +                        s->data_count = 0;
>> +                        if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
>> +                            s->blkcnt--;
>> +                            if (s->blkcnt == 0) {
>> +                                break;
>> +                            }
>> +                        }
>> +                    }
>> +                }
>> +            } else {
>> +                while (length) {
>> +                    begin = s->data_count;
>> +                    if ((length + begin) < block_size) {
>> +                        s->data_count = length + begin;
>> +                        length = 0;
>> +                     } else {
>> +                        s->data_count = block_size;
>> +                        length -= block_size - begin;
>> +                    }
>> +                    cpu_physical_memory_read(dscr.addr,
>> +                            &s->fifo_buffer[begin], s->data_count);
>> +                    dscr.addr += s->data_count - begin;
>> +                    if (s->data_count == block_size) {
>> +                        for (n = 0; n < block_size; n++) {
>> +                            sd_write_data(s->card, s->fifo_buffer[n]);
>> +                        }
>> +                        s->data_count = 0;
>> +                        if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
>> +                            s->blkcnt--;
>> +                            if (s->blkcnt == 0) {
>> +                                break;
>> +                            }
>> +                        }
>> +                    }
>> +                }
>> +            }
>> +            s->admasysaddr += dscr.incr;
>> +            break;
>> +        case SDHC_ADMA_ATTR_ACT_LINK:   /* link to next descriptor table */
>> +            s->admasysaddr = dscr.addr;
>> +            DPRINT_L1("ADMA link: admasysaddr=0x%lx\n", s->admasysaddr);
>> +            break;
>> +        default:
>> +            s->admasysaddr += dscr.incr;
>> +            break;
>> +        }
>> +
>> +        /* ADMA transfer terminates if blkcnt == 0 or by END attribute */
>> +        if (((s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
>> +                    (s->blkcnt == 0)) || (dscr.attr & SDHC_ADMA_ATTR_END)) {
>> +            DPRINT_L2("ADMA transfer completed\n");
>> +            if (length || ((dscr.attr & SDHC_ADMA_ATTR_END) &&
>> +                (s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
>> +                s->blkcnt != 0) || ((s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
>> +                s->blkcnt == 0 && (dscr.attr & SDHC_ADMA_ATTR_END) == 0)) {
>> +                ERRPRINT("SD/MMC host ADMA length mismatch\n");
>> +                s->admaerr |= SDHC_ADMAERR_LENGTH_MISMATCH |
>> +                        SDHC_ADMAERR_STATE_ST_TFR;
>> +                if (s->errintstsen & SDHC_EISEN_ADMAERR) {
>> +                    ERRPRINT("Set ADMA error flag\n");
>> +                    s->errintsts |= SDHC_EIS_ADMAERR;
>> +                    s->norintsts |= SDHC_NIS_ERR;
>> +                }
>> +
>> +                sdhci_update_irq(s);
>> +            }
>> +            SDHCI_GET_CLASS(s)->end_data_transfer(s);
>> +            break;
>> +        }
>> +
>> +        if (dscr.attr & SDHC_ADMA_ATTR_INT) {
>> +            DPRINT_L1("ADMA interrupt: admasysaddr=0x%lx\n", s->admasysaddr);
>> +            if (s->norintstsen & SDHC_NISEN_DMA) {
>> +                s->norintsts |= SDHC_NIS_DMA;
>> +            }
>> +
>> +            sdhci_update_irq(s);
>> +            break;
>> +        }
>> +    }
>> +}
> So I think the guest can make this loop never terminate if it sets up
> a loop of ACT_LINK descriptors, right? I don't know how we should
> handle this but I'm pretty sure "make qemu sit there forever not responding
> to anything and not resettable" isn't it.
>
> -- PMM
>

That could only happen if guest would do this on purpose, but I see your 
point. There's no way for us to tell if SD card read/write succeeded or 
not, so I think the only way to to this is to suspend transfer after 
some reasonable amount of loops and resume it by qemu_timer, giving CPU 
time to do something useful.
I've never seen long ADMA loops, so it wouldn't reflect on performance 
in any way.
Mitsyanko Igor - Aug. 6, 2012, 12:35 p.m.
Recently I've noticed that drive_get_next() usage is not very convenient 
if you want to use specific SD controller interface. Maybe we should 
switch from drive_get_next() to DEFINE_PROP_DRIVE()? It'll still 
preserve "-sd .." behaviour. What do you think Peter?
Peter A. G. Crosthwaite - Aug. 7, 2012, 6:31 a.m.
>>> +            sdhci_update_irq(s);
>>> +            break;
>>> +        }
>>> +    }
>>> +}
>>
>> So I think the guest can make this loop never terminate if it sets up
>> a loop of ACT_LINK descriptors, right? I don't know how we should
>> handle this but I'm pretty sure "make qemu sit there forever not
>> responding
>> to anything and not resettable" isn't it.
>>

Can I suggest that this is a general problem, that needs to be solved
by the AIO layer. The AIO+block layer uses coroutines to do
chunk-by-chunk non-blocking IO. I dont see how this is different. The
problem is solved by setting up asynchronous DMA transactions or even
better, arbitrary asynchronous hardware events. AIO DMA would have a
similar api to the block layer and would solve this problem once,
rather than having to put ptimers or coroutine-foo in every SGDMA
capable devices to watchdog for infinite loops.

>> -- PMM
>>
>
> That could only happen if guest would do this on purpose, but I see your
> point. There's no way for us to tell if SD card read/write succeeded or not,

I think we are talking about corner cases here. If there is major
infrastructural developments needed to do this properly (which I think
there might very well be), then can we declare this issue out of scope
of this series and come back to this as an incremental development.

To summarise, its a hard problem to solve with minimal reward.

Regards,
Peter

> so I think the only way to to this is to suspend transfer after some
> reasonable amount of loops and resume it by qemu_timer, giving CPU time to
> do something useful.
> I've never seen long ADMA loops, so it wouldn't reflect on performance in
> any way.
Peter A. G. Crosthwaite - Aug. 10, 2012, 11:56 a.m.
Ping!

Any further thoughts here?

There seem to be a few minor correction for PPM, but the sore-thumb
issue is the long/infinite ADMA. Is there an (easy) AIO based solution
to be had or do we need to do some sort of ptimer hack?

Regards,
Peter

On Tue, Aug 7, 2012 at 4:31 PM, Peter Crosthwaite
<peter.crosthwaite@petalogix.com> wrote:
>>>> +            sdhci_update_irq(s);
>>>> +            break;
>>>> +        }
>>>> +    }
>>>> +}
>>>
>>> So I think the guest can make this loop never terminate if it sets up
>>> a loop of ACT_LINK descriptors, right? I don't know how we should
>>> handle this but I'm pretty sure "make qemu sit there forever not
>>> responding
>>> to anything and not resettable" isn't it.
>>>
>
> Can I suggest that this is a general problem, that needs to be solved
> by the AIO layer. The AIO+block layer uses coroutines to do
> chunk-by-chunk non-blocking IO. I dont see how this is different. The
> problem is solved by setting up asynchronous DMA transactions or even
> better, arbitrary asynchronous hardware events. AIO DMA would have a
> similar api to the block layer and would solve this problem once,
> rather than having to put ptimers or coroutine-foo in every SGDMA
> capable devices to watchdog for infinite loops.
>
>>> -- PMM
>>>
>>
>> That could only happen if guest would do this on purpose, but I see your
>> point. There's no way for us to tell if SD card read/write succeeded or not,
>
> I think we are talking about corner cases here. If there is major
> infrastructural developments needed to do this properly (which I think
> there might very well be), then can we declare this issue out of scope
> of this series and come back to this as an incremental development.
>
> To summarise, its a hard problem to solve with minimal reward.
>
> Regards,
> Peter
>
>> so I think the only way to to this is to suspend transfer after some
>> reasonable amount of loops and resume it by qemu_timer, giving CPU time to
>> do something useful.
>> I've never seen long ADMA loops, so it wouldn't reflect on performance in
>> any way.

Patch

diff --git a/default-configs/arm-softmmu.mak b/default-configs/arm-softmmu.mak
index e542b4f..314784b 100644
--- a/default-configs/arm-softmmu.mak
+++ b/default-configs/arm-softmmu.mak
@@ -27,3 +27,4 @@  CONFIG_SMC91C111=y
 CONFIG_DS1338=y
 CONFIG_PFLASH_CFI01=y
 CONFIG_PFLASH_CFI02=y
+CONFIG_SDHCI=y
diff --git a/hw/Makefile.objs b/hw/Makefile.objs
index 9a350de..be8639f 100644
--- a/hw/Makefile.objs
+++ b/hw/Makefile.objs
@@ -35,6 +35,7 @@  hw-obj-$(CONFIG_APPLESMC) += applesmc.o
 hw-obj-$(CONFIG_SMARTCARD) += ccid-card-passthru.o
 hw-obj-$(CONFIG_SMARTCARD_NSS) += ccid-card-emulated.o
 hw-obj-$(CONFIG_I8259) += i8259_common.o i8259.o
+hw-obj-$(CONFIG_SDHCI) += sdhci.o
 
 # PPC devices
 hw-obj-$(CONFIG_PREP_PCI) += prep_pci.o
diff --git a/hw/sdhci.c b/hw/sdhci.c
new file mode 100644
index 0000000..9bc43bb
--- /dev/null
+++ b/hw/sdhci.c
@@ -0,0 +1,1262 @@ 
+/*
+ * SD Association Host Standard Specification v2.0 controller emulation
+ *
+ * Copyright (c) 2011 Samsung Electronics Co., Ltd.
+ * Mitsyanko Igor <i.mitsyanko@samsung.com>
+ * Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com>
+ *
+ * Based on MMC controller for Samsung S5PC1xx-based board emulation
+ * by Alexey Merkulov and Vladimir Monakhov.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "hw.h"
+#include "blockdev.h"
+#include "qemu-timer.h"
+#include "sdhci.h"
+#include "block_int.h"
+
+/* host controller debug messages */
+#define SDHC_DEBUG                        0
+
+#if SDHC_DEBUG == 0
+    #define DPRINT_L1(fmt, args...)       do { } while (0)
+    #define DPRINT_L2(fmt, args...)       do { } while (0)
+    #define ERRPRINT(fmt, args...)        do { } while (0)
+#elif SDHC_DEBUG == 1
+    #define DPRINT_L1(fmt, args...)       \
+        do {fprintf(stderr, "QEMU SDHC: "fmt, ## args); } while (0)
+    #define DPRINT_L2(fmt, args...)       do { } while (0)
+    #define ERRPRINT(fmt, args...)        \
+        do {fprintf(stderr, "QEMU SDHC ERROR: "fmt, ## args); } while (0)
+#else
+    #define DPRINT_L1(fmt, args...)       \
+        do {fprintf(stderr, "QEMU SDHC: "fmt, ## args); } while (0)
+    #define DPRINT_L2(fmt, args...)       \
+        do {fprintf(stderr, "QEMU SDHC: "fmt, ## args); } while (0)
+    #define ERRPRINT(fmt, args...)        \
+        do {fprintf(stderr, "QEMU SDHC ERROR: "fmt, ## args); } while (0)
+#endif
+
+/* Default SD/MMC host controller features information, which will be
+ * presented in CAPABILITIES register of generic SD host controller at reset.
+ * If not stated otherwise:
+ * 0 - not supported, 1 - supported, other - prohibited.
+ */
+#define SDHC_CAPAB_64BITBUS       0ul        /* 64-bit System Bus Support */
+#define SDHC_CAPAB_18V            1ul        /* Voltage support 1.8v */
+#define SDHC_CAPAB_30V            0ul        /* Voltage support 3.0v */
+#define SDHC_CAPAB_33V            1ul        /* Voltage support 3.3v */
+#define SDHC_CAPAB_SUSPRESUME     0ul        /* Suspend/resume support */
+#define SDHC_CAPAB_SDMA           1ul        /* SDMA support */
+#define SDHC_CAPAB_HIGHSPEED      1ul        /* High speed support */
+#define SDHC_CAPAB_ADMA1          1ul        /* ADMA1 support */
+#define SDHC_CAPAB_ADMA2          1ul        /* ADMA2 support */
+/* Maximum host controller R/W buffers size
+ * Possible values: 512, 1024, 2048 bytes */
+#define SDHC_CAPAB_MAXBLOCKLENGTH 512ul
+/* Maximum clock frequency for SDclock in MHz
+ * value in range 10-63 MHz, 0 - not defined */
+#define SDHC_CAPAB_BASECLKFREQ    0ul
+#define SDHC_CAPAB_TOUNIT         1ul  /* Timeout clock unit 0 - kHz, 1 - MHz */
+/* Timeout clock frequency 1-63, 0 - not defined */
+#define SDHC_CAPAB_TOCLKFREQ      0ul
+
+/* Now check all parameters and calculate CAPABILITIES REGISTER value */
+#if SDHC_CAPAB_64BITBUS > 1 || SDHC_CAPAB_18V > 1 || SDHC_CAPAB_30V > 1 ||     \
+    SDHC_CAPAB_33V > 1 || SDHC_CAPAB_SUSPRESUME > 1 || SDHC_CAPAB_SDMA > 1 ||  \
+    SDHC_CAPAB_HIGHSPEED > 1 || SDHC_CAPAB_ADMA2 > 1 || SDHC_CAPAB_ADMA1 > 1 ||\
+    SDHC_CAPAB_TOUNIT > 1
+#error Capabilities features can have value 0 or 1 only!
+#endif
+
+#if SDHC_CAPAB_MAXBLOCKLENGTH == 512
+#define MAX_BLOCK_LENGTH 0ul
+#elif SDHC_CAPAB_MAXBLOCKLENGTH == 1024
+#define MAX_BLOCK_LENGTH 1ul
+#elif SDHC_CAPAB_MAXBLOCKLENGTH == 2048
+#define MAX_BLOCK_LENGTH 2ul
+#else
+#error Max host controller block size can have value 512, 1024 or 2048 only!
+#endif
+
+#if (SDHC_CAPAB_BASECLKFREQ > 0 && SDHC_CAPAB_BASECLKFREQ < 10) || \
+    SDHC_CAPAB_BASECLKFREQ > 63
+#error SDclock frequency can have value in range 0, 10-63 only!
+#endif
+
+#if SDHC_CAPAB_TOCLKFREQ > 63
+#error Timeout clock frequency can have value in range 0-63 only!
+#endif
+
+#define SDHC_CAPAB_REG_DEFAULT                                 \
+   ((SDHC_CAPAB_64BITBUS << 28) | (SDHC_CAPAB_18V << 26) |     \
+    (SDHC_CAPAB_30V << 25) | (SDHC_CAPAB_33V << 24) |          \
+    (SDHC_CAPAB_SUSPRESUME << 23) | (SDHC_CAPAB_SDMA << 22) |  \
+    (SDHC_CAPAB_HIGHSPEED << 21) | (SDHC_CAPAB_ADMA1 << 20) |  \
+    (SDHC_CAPAB_ADMA2 << 19) | (MAX_BLOCK_LENGTH << 16) |      \
+    (SDHC_CAPAB_BASECLKFREQ << 8) | (SDHC_CAPAB_TOUNIT << 7) | \
+    (SDHC_CAPAB_TOCLKFREQ))
+
+#define MASKED_WRITE(reg, mask, val)  (reg = (reg & (mask)) | (val))
+
+static uint8_t sdhci_slotint(SDHCIState *s)
+{
+    return (s->norintsts & s->norintsigen) || (s->errintsts & s->errintsigen) ||
+         ((s->norintsts & SDHC_NIS_INSERT) && (s->wakcon & SDHC_WKUP_ON_INS)) ||
+         ((s->norintsts & SDHC_NIS_REMOVE) && (s->wakcon & SDHC_WKUP_ON_RMV));
+}
+
+static inline void sdhci_update_irq(SDHCIState *s)
+{
+    qemu_set_irq(s->irq, sdhci_slotint(s));
+}
+
+static void sdhci_raise_insertion_irq(void *opaque)
+{
+    SDHCIState *s = (SDHCIState *)opaque;
+
+    if (s->norintsts & SDHC_NIS_REMOVE) {
+        qemu_mod_timer(s->insert_timer,
+                       qemu_get_clock_ns(vm_clock) + SDHC_INSERTION_DELAY);
+    } else {
+        s->prnsts = 0x1ff0000;
+        if (s->norintstsen & SDHC_NISEN_INSERT) {
+            s->norintsts |= SDHC_NIS_INSERT;
+        }
+        sdhci_update_irq(s);
+    }
+}
+
+static void sdhci_insert_eject_cb(void *opaque, int irq, int level)
+{
+    SDHCIState *s = (SDHCIState *)opaque;
+    DPRINT_L1("Card state changed: %s!\n", level ? "insert" : "eject");
+
+    if ((s->norintsts & SDHC_NIS_REMOVE) && level) {
+        /* Give target some time to notice card ejection */
+        qemu_mod_timer(s->insert_timer,
+                       qemu_get_clock_ns(vm_clock) + SDHC_INSERTION_DELAY);
+    } else {
+        if (level) {
+            s->prnsts = 0x1ff0000;
+            if (s->norintstsen & SDHC_NISEN_INSERT) {
+                s->norintsts |= SDHC_NIS_INSERT;
+            }
+        } else {
+            s->prnsts = 0x1fa0000;
+            s->pwrcon &= ~SDHC_POWER_ON;
+            s->clkcon &= ~SDHC_CLOCK_SDCLK_EN;
+            if (s->norintstsen & SDHC_NISEN_REMOVE) {
+                s->norintsts |= SDHC_NIS_REMOVE;
+            }
+        }
+        sdhci_update_irq(s);
+    }
+}
+
+static void sdhci_card_readonly_cb(void *opaque, int irq, int level)
+{
+    SDHCIState *s = (SDHCIState *)opaque;
+
+    if (level) {
+        s->prnsts &= ~SDHC_WRITE_PROTECT;
+    } else {
+        /* Write enabled */
+        s->prnsts |= SDHC_WRITE_PROTECT;
+    }
+}
+
+static void sdhci_reset(SDHCIState *s)
+{
+    qemu_del_timer(s->insert_timer);
+    /* Set all registers to 0. Capabilities registers are not cleared
+     * and assumed to always preserve their value, given to them during
+     * initialization */
+    memset(&s->sdmasysad, 0, (uintptr_t)&s->capareg - (uintptr_t)&s->sdmasysad);
+
+    sd_set_cb(s->card, s->ro_cb, s->eject_cb);
+    s->data_count = 0;
+    s->stopped_state = sdhc_not_stopped;
+}
+
+static void sdhci_send_command(SDHCIState *s)
+{
+    SDRequest request;
+    uint8_t response[16];
+    int rlen;
+
+    s->errintsts = 0;
+    s->acmd12errsts = 0;
+    request.cmd = s->cmdreg >> 8;
+    request.arg = s->argument;
+    DPRINT_L1("sending CMD%u ARG[0x%08x]\n", request.cmd, request.arg);
+    rlen = sd_do_command(s->card, &request, response);
+
+    if (s->cmdreg & SDHC_CMD_RESPONSE) {
+        if (rlen == 4) {
+            s->rspreg[0] = (response[0] << 24) | (response[1] << 16) |
+                           (response[2] << 8)  |  response[3];
+            s->rspreg[1] = s->rspreg[2] = s->rspreg[3] = 0;
+            DPRINT_L1("Response: RSPREG[31..0]=0x%08x\n", s->rspreg[0]);
+        } else if (rlen == 16) {
+            s->rspreg[0] = (response[11] << 24) | (response[12] << 16) |
+                           (response[13] << 8) |  response[14];
+            s->rspreg[1] = (response[7] << 24) | (response[8] << 16) |
+                           (response[9] << 8)  |  response[10];
+            s->rspreg[2] = (response[3] << 24) | (response[4] << 16) |
+                           (response[5] << 8)  |  response[6];
+            s->rspreg[3] = (response[0] << 16) | (response[1] << 8) |
+                            response[2];
+            DPRINT_L1("Response received:\n RSPREG[127..96]=0x%08x, RSPREG[95.."
+                  "64]=0x%08x,\n RSPREG[63..32]=0x%08x, RSPREG[31..0]=0x%08x\n",
+                  s->rspreg[3], s->rspreg[2], s->rspreg[1], s->rspreg[0]);
+        } else {
+            ERRPRINT("Timeout waiting for command response\n");
+            if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
+                s->errintsts |= SDHC_EIS_CMDTIMEOUT;
+                s->norintsts |= SDHC_NIS_ERR;
+            }
+        }
+
+        if ((s->norintstsen & SDHC_NISEN_TRSCMP) &&
+            (s->cmdreg & SDHC_CMD_RESPONSE) == SDHC_CMD_RSP_WITH_BUSY) {
+            s->norintsts |= SDHC_NIS_TRSCMP;
+        }
+    } else if (rlen != 0 && (s->errintstsen & SDHC_EISEN_CMDIDX)) {
+        s->errintsts |= SDHC_EIS_CMDIDX;
+        s->norintsts |= SDHC_NIS_ERR;
+    }
+
+    if (s->norintstsen & SDHC_NISEN_CMDCMP) {
+        s->norintsts |= SDHC_NIS_CMDCMP;
+    }
+
+    sdhci_update_irq(s);
+
+    if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
+        SDHCI_GET_CLASS(s)->start_data_transfer(s);
+    }
+}
+
+static void sdhci_end_transfer(SDHCIState *s)
+{
+    /* Automatically send CMD12 to stop transfer if AutoCMD12 enabled */
+    if ((s->trnmod & SDHC_TRNS_ACMD12) != 0) {
+        SDRequest request;
+        uint8_t response[16];
+
+        request.cmd = 0x0C;
+        request.arg = 0;
+        DPRINT_L1("Automatically issue CMD%d %08x\n", request.cmd, request.arg);
+        sd_do_command(s->card, &request, response);
+        /* Auto CMD12 response goes to the upper Response register */
+        s->rspreg[3] = (response[0] << 24) | (response[1] << 16) |
+                (response[2] << 8) | response[3];
+    }
+
+    s->prnsts &= ~(SDHC_DOING_READ | SDHC_DOING_WRITE |
+            SDHC_DAT_LINE_ACTIVE | SDHC_DATA_INHIBIT |
+            SDHC_SPACE_AVAILABLE | SDHC_DATA_AVAILABLE);
+
+    if (s->norintstsen & SDHC_NISEN_TRSCMP) {
+        s->norintsts |= SDHC_NIS_TRSCMP;
+    }
+
+    sdhci_update_irq(s);
+}
+
+/*
+ * Programmed i/o data transfer
+ */
+
+/* Fill host controller's read buffer with BLKSIZE bytes of data from card */
+static void sdhci_read_block_from_card(SDHCIState *s)
+{
+    int index = 0;
+
+    if ((s->trnmod & SDHC_TRNS_MULTI) &&
+            (s->trnmod & SDHC_TRNS_BLK_CNT_EN) && (s->blkcnt == 0)) {
+        return;
+    }
+
+    for (index = 0; index < (s->blksize & 0x0fff); index++) {
+        s->fifo_buffer[index] = sd_read_data(s->card);
+    }
+
+    /* New data now available for READ through Buffer Port Register */
+    s->prnsts |= SDHC_DATA_AVAILABLE;
+    if (s->norintstsen & SDHC_NISEN_RBUFRDY) {
+        s->norintsts |= SDHC_NIS_RBUFRDY;
+    }
+
+    /* Clear DAT line active status if that was the last block */
+    if ((s->trnmod & SDHC_TRNS_MULTI) == 0 ||
+            ((s->trnmod & SDHC_TRNS_MULTI) && s->blkcnt == 1)) {
+        s->prnsts &= ~SDHC_DAT_LINE_ACTIVE;
+    }
+
+    /* If stop at block gap request was set and it's not the last block of
+     * data - generate Block Event interrupt */
+    if (s->stopped_state == sdhc_gap_read && (s->trnmod & SDHC_TRNS_MULTI) &&
+            s->blkcnt != 1)    {
+        s->prnsts &= ~SDHC_DAT_LINE_ACTIVE;
+        if (s->norintstsen & SDHC_EISEN_BLKGAP) {
+            s->norintsts |= SDHC_EIS_BLKGAP;
+        }
+    }
+
+    sdhci_update_irq(s);
+}
+
+/* Read @size byte of data from host controller @s BUFFER DATA PORT register */
+static uint32_t sdhci_read_dataport(SDHCIState *s, unsigned size)
+{
+    uint32_t value = 0;
+    int i;
+
+    /* first check that a valid data exists in host controller input buffer */
+    if ((s->prnsts & SDHC_DATA_AVAILABLE) == 0) {
+        ERRPRINT("Trying to read from empty buffer\n");
+        return 0;
+    }
+
+    for (i = 0; i < size; i++) {
+        value |= s->fifo_buffer[s->data_count] << i * 8;
+        s->data_count++;
+        /* check if we've read all valid data (blksize bytes) from buffer */
+        if ((s->data_count) >= (s->blksize & 0x0fff)) {
+            DPRINT_L2("All %u bytes of data have been read from input buffer\n",
+                    s->data_count);
+            s->prnsts &= ~SDHC_DATA_AVAILABLE; /* no more data in a buffer */
+            s->data_count = 0;  /* next buff read must start at position [0] */
+
+            if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+                s->blkcnt--;
+            }
+
+            /* if that was the last block of data */
+            if ((s->trnmod & SDHC_TRNS_MULTI) == 0 ||
+                ((s->trnmod & SDHC_TRNS_BLK_CNT_EN) && (s->blkcnt == 0)) ||
+                 /* stop at gap request */
+                (s->stopped_state == sdhc_gap_read &&
+                 !(s->prnsts & SDHC_DAT_LINE_ACTIVE))) {
+                SDHCI_GET_CLASS(s)->end_data_transfer(s);
+            } else { /* if there are more data, read next block from card */
+                SDHCI_GET_CLASS(s)->read_block_from_card(s);
+            }
+            break;
+        }
+    }
+
+    return value;
+}
+
+/* Write data from host controller FIFO to card */
+static void sdhci_write_block_to_card(SDHCIState *s)
+{
+    int index = 0;
+
+    if (s->prnsts & SDHC_SPACE_AVAILABLE) {
+        if (s->norintstsen & SDHC_NISEN_WBUFRDY) {
+            s->norintsts |= SDHC_NIS_WBUFRDY;
+        }
+        sdhci_update_irq(s);
+        return;
+    }
+
+    if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+        if (s->blkcnt == 0) {
+            return;
+        } else {
+            s->blkcnt--;
+        }
+    }
+
+    for (index = 0; index < (s->blksize & 0x0fff); index++) {
+        sd_write_data(s->card, s->fifo_buffer[index]);
+    }
+
+    /* Next data can be written through BUFFER DATORT register */
+    s->prnsts |= SDHC_SPACE_AVAILABLE;
+    if (s->norintstsen & SDHC_NISEN_WBUFRDY) {
+        s->norintsts |= SDHC_NIS_WBUFRDY;
+    }
+
+    /* Finish transfer if that was the last block of data */
+    if ((s->trnmod & SDHC_TRNS_MULTI) == 0 ||
+            ((s->trnmod & SDHC_TRNS_MULTI) &&
+            (s->trnmod & SDHC_TRNS_BLK_CNT_EN) && (s->blkcnt == 0))) {
+        SDHCI_GET_CLASS(s)->end_data_transfer(s);
+    }
+
+    /* Generate Block Gap Event if requested and if not the last block */
+    if (s->stopped_state == sdhc_gap_write && (s->trnmod & SDHC_TRNS_MULTI) &&
+            s->blkcnt > 0) {
+        s->prnsts &= ~SDHC_DOING_WRITE;
+        if (s->norintstsen & SDHC_EISEN_BLKGAP) {
+            s->norintsts |= SDHC_EIS_BLKGAP;
+        }
+        SDHCI_GET_CLASS(s)->end_data_transfer(s);
+    }
+
+    sdhci_update_irq(s);
+}
+
+/* Write @size bytes of @value data to host controller @s Buffer Data Port
+ * register */
+static void sdhci_write_dataport(SDHCIState *s, uint32_t value, unsigned size)
+{
+    unsigned i;
+
+    /* Check that there is free space left in a buffer */
+    if (!(s->prnsts & SDHC_SPACE_AVAILABLE)) {
+        ERRPRINT("Can't write to data buffer: buffer full\n");
+        return;
+    }
+
+    for (i = 0; i < size; i++) {
+        s->fifo_buffer[s->data_count] = value & 0xFF;
+        s->data_count++;
+        value >>= 8;
+        if (s->data_count >= (s->blksize & 0x0fff)) {
+            DPRINT_L2("write buffer filled with %u bytes of data\n",
+                    s->data_count);
+            s->data_count = 0;
+            s->prnsts &= ~SDHC_SPACE_AVAILABLE;
+            if (s->prnsts & SDHC_DOING_WRITE) {
+                SDHCI_GET_CLASS(s)->write_block_to_card(s);
+            }
+        }
+    }
+}
+
+/*
+ * Single DMA data transfer
+ */
+
+/* Multi block SDMA transfer */
+static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+{
+    bool page_aligned = false;
+    unsigned int n, begin;
+    const uint16_t block_size = s->blksize & 0x0fff;
+    uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
+    uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
+
+    /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
+     * possible stop at page boundary if initial address is not page aligned,
+     * allow them to work properly */
+    if ((s->sdmasysad % boundary_chk) == 0) {
+        page_aligned = true;
+    }
+
+    if (s->trnmod & SDHC_TRNS_READ) {
+        s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT |
+                SDHC_DAT_LINE_ACTIVE;
+        while (s->blkcnt) {
+            if (s->data_count == 0) {
+                for (n = 0; n < block_size; n++) {
+                    s->fifo_buffer[n] = sd_read_data(s->card);
+                }
+            }
+            begin = s->data_count;
+            if (((boundary_count + begin) < block_size) && page_aligned) {
+                s->data_count = boundary_count + begin;
+                boundary_count = 0;
+             } else {
+                s->data_count = block_size;
+                boundary_count -= block_size - begin;
+                if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+                    s->blkcnt--;
+                }
+            }
+            cpu_physical_memory_write(s->sdmasysad, &s->fifo_buffer[begin],
+                    s->data_count - begin);
+            s->sdmasysad += s->data_count - begin;
+            if (s->data_count == block_size) {
+                s->data_count = 0;
+            }
+            if (page_aligned && boundary_count == 0) {
+                break;
+            }
+        }
+    } else {
+        s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT |
+                SDHC_DAT_LINE_ACTIVE;
+        while (s->blkcnt) {
+            begin = s->data_count;
+            if (((boundary_count + begin) < block_size) && page_aligned) {
+                s->data_count = boundary_count + begin;
+                boundary_count = 0;
+             } else {
+                s->data_count = block_size;
+                boundary_count -= block_size - begin;
+            }
+            cpu_physical_memory_read(s->sdmasysad,
+                    &s->fifo_buffer[begin], s->data_count);
+            s->sdmasysad += s->data_count - begin;
+            if (s->data_count == block_size) {
+                for (n = 0; n < block_size; n++) {
+                    sd_write_data(s->card, s->fifo_buffer[n]);
+                }
+                s->data_count = 0;
+                if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+                    s->blkcnt--;
+                }
+            }
+            if (page_aligned && boundary_count == 0) {
+                break;
+            }
+        }
+    }
+
+    if (s->blkcnt == 0) {
+        SDHCI_GET_CLASS(s)->end_data_transfer(s);
+    } else {
+        if (s->norintstsen & SDHC_NISEN_DMA) {
+            s->norintsts |= SDHC_NIS_DMA;
+        }
+        sdhci_update_irq(s);
+    }
+}
+
+/* single block SDMA transfer */
+static void sdhci_sdma_transfer_single_block(SDHCIState *s)
+{
+    int n;
+    uint32_t datacnt = s->blksize & 0x0fff;
+
+    if (s->trnmod & SDHC_TRNS_READ) {
+        for (n = 0; n < datacnt; n++) {
+            s->fifo_buffer[n] = sd_read_data(s->card);
+        }
+        cpu_physical_memory_write(s->sdmasysad, s->fifo_buffer, datacnt);
+    } else {
+        cpu_physical_memory_read(s->sdmasysad, s->fifo_buffer, datacnt);
+        for (n = 0; n < datacnt; n++) {
+            sd_write_data(s->card, s->fifo_buffer[n]);
+        }
+    }
+
+    if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+        s->blkcnt--;
+    }
+
+    SDHCI_GET_CLASS(s)->end_data_transfer(s);
+}
+
+typedef struct ADMADescr {
+    target_phys_addr_t addr;
+    uint16_t length;
+    uint8_t attr;
+    uint8_t incr;
+} ADMADescr;
+
+static void get_adma_description(SDHCIState *s, ADMADescr *dscr)
+{
+    uint32_t adma1 = 0;
+    uint64_t adma2 = 0;
+    target_phys_addr_t entry_addr = (target_phys_addr_t)s->admasysaddr;
+
+    switch (SDHC_DMA_TYPE(s->hostctl)) {
+    case SDHC_CTRL_ADMA2_32:
+        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma2, sizeof(adma2));
+        dscr->addr = (target_phys_addr_t)((adma2 >> 32) & 0xfffffffc);
+        dscr->length = (uint16_t)((adma2 >> 16) & 0xFFFF);
+        dscr->attr = (uint8_t)(adma2 & 0x3F);
+        dscr->incr = 8;
+        break;
+    case SDHC_CTRL_ADMA1_32:
+        cpu_physical_memory_read(entry_addr, (uint8_t *)&adma1, sizeof(adma1));
+        dscr->addr = (target_phys_addr_t)(adma1 & 0xFFFFF000);
+        dscr->attr = (uint8_t)(adma1 & 0x3F);
+        dscr->incr = 4;
+        if ((dscr->attr & SDHC_ADMA_ATTR_ACT_MASK) == SDHC_ADMA_ATTR_SET_LEN) {
+            dscr->length = (uint16_t)((adma1 >> 12) & 0xFFFF);
+        } else {
+            dscr->length = 4096;
+        }
+        break;
+    case SDHC_CTRL_ADMA2_64:
+        cpu_physical_memory_read(entry_addr, (uint8_t *)(&dscr->attr), 1);
+        cpu_physical_memory_read(entry_addr + 2, (uint8_t *)(&dscr->length), 2);
+        cpu_physical_memory_read(entry_addr + 4, (uint8_t *)(&dscr->addr), 8);
+        dscr->attr &= 0xfffffff8;
+        dscr->incr = 12;
+        break;
+    }
+}
+
+/* Advanced DMA data transfer */
+static void sdhci_start_adma(SDHCIState *s)
+{
+    unsigned int n, begin, length;
+    const uint16_t block_size = s->blksize & 0x0fff;
+    ADMADescr dscr;
+    s->admaerr &= ~SDHC_ADMAERR_LENGTH_MISMATCH;
+
+    while (1) {
+        get_adma_description(s, &dscr);
+        DPRINT_L2("ADMA loop: addr=" TARGET_FMT_plx ", len=%d, attr=%x\n",
+                dscr.addr, dscr.length, dscr.attr);
+
+        if ((dscr.attr & SDHC_ADMA_ATTR_VALID) == 0) {
+            /* Indicate that error occurred in ST_FDS state */
+            s->admaerr &= ~SDHC_ADMAERR_STATE_MASK;
+            s->admaerr |= SDHC_ADMAERR_STATE_ST_FDS;
+
+            /* Generate ADMA error interrupt */
+            if (s->errintstsen & SDHC_EISEN_ADMAERR) {
+                s->errintsts |= SDHC_EIS_ADMAERR;
+                s->norintsts |= SDHC_NIS_ERR;
+            }
+
+            sdhci_update_irq(s);
+            break;
+        }
+
+        length = dscr.length ? dscr.length : 65536;
+
+        switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
+        case SDHC_ADMA_ATTR_ACT_TRAN:  /* data transfer */
+
+            if (s->trnmod & SDHC_TRNS_READ) {
+                while (length) {
+                    if (s->data_count == 0) {
+                        for (n = 0; n < block_size; n++) {
+                            s->fifo_buffer[n] = sd_read_data(s->card);
+                        }
+                    }
+                    begin = s->data_count;
+                    if ((length + begin) < block_size) {
+                        s->data_count = length + begin;
+                        length = 0;
+                     } else {
+                        s->data_count = block_size;
+                        length -= block_size - begin;
+                    }
+                    cpu_physical_memory_write(dscr.addr, &s->fifo_buffer[begin],
+                            s->data_count - begin);
+                    dscr.addr += s->data_count - begin;
+                    if (s->data_count == block_size) {
+                        s->data_count = 0;
+                        if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+                            s->blkcnt--;
+                            if (s->blkcnt == 0) {
+                                break;
+                            }
+                        }
+                    }
+                }
+            } else {
+                while (length) {
+                    begin = s->data_count;
+                    if ((length + begin) < block_size) {
+                        s->data_count = length + begin;
+                        length = 0;
+                     } else {
+                        s->data_count = block_size;
+                        length -= block_size - begin;
+                    }
+                    cpu_physical_memory_read(dscr.addr,
+                            &s->fifo_buffer[begin], s->data_count);
+                    dscr.addr += s->data_count - begin;
+                    if (s->data_count == block_size) {
+                        for (n = 0; n < block_size; n++) {
+                            sd_write_data(s->card, s->fifo_buffer[n]);
+                        }
+                        s->data_count = 0;
+                        if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+                            s->blkcnt--;
+                            if (s->blkcnt == 0) {
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+            s->admasysaddr += dscr.incr;
+            break;
+        case SDHC_ADMA_ATTR_ACT_LINK:   /* link to next descriptor table */
+            s->admasysaddr = dscr.addr;
+            DPRINT_L1("ADMA link: admasysaddr=0x%lx\n", s->admasysaddr);
+            break;
+        default:
+            s->admasysaddr += dscr.incr;
+            break;
+        }
+
+        /* ADMA transfer terminates if blkcnt == 0 or by END attribute */
+        if (((s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
+                    (s->blkcnt == 0)) || (dscr.attr & SDHC_ADMA_ATTR_END)) {
+            DPRINT_L2("ADMA transfer completed\n");
+            if (length || ((dscr.attr & SDHC_ADMA_ATTR_END) &&
+                (s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
+                s->blkcnt != 0) || ((s->trnmod & SDHC_TRNS_BLK_CNT_EN) &&
+                s->blkcnt == 0 && (dscr.attr & SDHC_ADMA_ATTR_END) == 0)) {
+                ERRPRINT("SD/MMC host ADMA length mismatch\n");
+                s->admaerr |= SDHC_ADMAERR_LENGTH_MISMATCH |
+                        SDHC_ADMAERR_STATE_ST_TFR;
+                if (s->errintstsen & SDHC_EISEN_ADMAERR) {
+                    ERRPRINT("Set ADMA error flag\n");
+                    s->errintsts |= SDHC_EIS_ADMAERR;
+                    s->norintsts |= SDHC_NIS_ERR;
+                }
+
+                sdhci_update_irq(s);
+            }
+            SDHCI_GET_CLASS(s)->end_data_transfer(s);
+            break;
+        }
+
+        if (dscr.attr & SDHC_ADMA_ATTR_INT) {
+            DPRINT_L1("ADMA interrupt: admasysaddr=0x%lx\n", s->admasysaddr);
+            if (s->norintstsen & SDHC_NISEN_DMA) {
+                s->norintsts |= SDHC_NIS_DMA;
+            }
+
+            sdhci_update_irq(s);
+            break;
+        }
+    }
+}
+
+/* Perform data transfer according to controller configuration */
+static void sdhci_start_transfer(SDHCIState *s)
+{
+    SDHCIClass *k = SDHCI_GET_CLASS(s);
+    s->data_count = 0;
+
+    if (s->trnmod & SDHC_TRNS_DMA) {
+        switch (SDHC_DMA_TYPE(s->hostctl)) {
+        case SDHC_CTRL_SDMA:
+            if ((s->trnmod & SDHC_TRNS_MULTI) &&
+                    (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
+                break;
+            }
+
+            if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
+                k->do_sdma_single(s);
+            } else {
+                k->do_sdma_multi(s);
+            }
+
+            break;
+        case SDHC_CTRL_ADMA1_32:
+            if (!(s->capareg & SDHC_CAN_DO_ADMA1)) {
+                ERRPRINT("ADMA1 not supported\n");
+                break;
+            }
+
+            k->do_adma(s);
+            break;
+        case SDHC_CTRL_ADMA2_32:
+            if (!(s->capareg & SDHC_CAN_DO_ADMA2)) {
+                ERRPRINT("ADMA2 not supported\n");
+                break;
+            }
+
+            k->do_adma(s);
+            break;
+        case SDHC_CTRL_ADMA2_64:
+            if (!(s->capareg & SDHC_CAN_DO_ADMA2) ||
+                    !(s->capareg & SDHC_64_BIT_BUS_SUPPORT)) {
+                ERRPRINT("64 bit ADMA not supported\n");
+                break;
+            }
+
+            k->do_adma(s);
+            break;
+        default:
+            ERRPRINT("Unsupported DMA type\n");
+            break;
+        }
+    } else {
+        if ((s->trnmod & SDHC_TRNS_READ) && sd_data_ready(s->card)) {
+            s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT |
+                    SDHC_DAT_LINE_ACTIVE;
+            SDHCI_GET_CLASS(s)->read_block_from_card(s);
+        } else {
+            s->prnsts |= SDHC_DOING_WRITE | SDHC_DAT_LINE_ACTIVE |
+                    SDHC_SPACE_AVAILABLE | SDHC_DATA_INHIBIT;
+            SDHCI_GET_CLASS(s)->write_block_to_card(s);
+        }
+    }
+}
+
+static bool sdhci_can_issue_command(SDHCIState *s)
+{
+    if (!SDHC_CLOCK_IS_ON(s->clkcon) || !(s->pwrcon & SDHC_POWER_ON) ||
+        (((s->prnsts & SDHC_DATA_INHIBIT) || s->stopped_state) &&
+        ((s->cmdreg & SDHC_CMD_DATA_PRESENT) ||
+        ((s->cmdreg & SDHC_CMD_RESPONSE) == SDHC_CMD_RSP_WITH_BUSY &&
+        !(SDHC_COMMAND_TYPE(s->cmdreg) == SDHC_CMD_ABORT))))) {
+        return false;
+    }
+
+    return true;
+}
+
+/* The Buffer Data Port register must be accessed in sequential and
+ * continuous manner */
+static inline bool
+sdhci_buff_access_is_sequential(SDHCIState *s, unsigned byte_num)
+{
+    if ((s->data_count & 0x3) != byte_num) {
+        ERRPRINT("Non-sequential access to Buffer Data Port register"
+                "is prohibited\n");
+        return false;
+    }
+    return true;
+}
+
+static uint32_t sdhci_read(SDHCIState *s, unsigned int offset, unsigned size)
+{
+    uint32_t ret = 0;
+
+    switch (offset & ~0x3) {
+    case SDHC_SYSAD:
+        ret = s->sdmasysad;
+        break;
+    case SDHC_BLKSIZE:
+        ret = s->blksize | (s->blkcnt << 16);
+        break;
+    case SDHC_ARGUMENT:
+        ret = s->argument;
+        break;
+    case SDHC_TRNMOD:
+        ret = s->trnmod | (s->cmdreg << 16);
+        break;
+    case SDHC_RSPREG0 ... SDHC_RSPREG3:
+        ret = s->rspreg[((offset & ~0x3) - SDHC_RSPREG0) >> 2];
+        break;
+    case  SDHC_BDATA:
+        if (sdhci_buff_access_is_sequential(s, offset - SDHC_BDATA)) {
+            ret = SDHCI_GET_CLASS(s)->bdata_read(s, size);
+            DPRINT_L2("read %ub: addr[0x%04x] -> %u\n", size, offset, ret);
+            return ret;
+        }
+        break;
+    case SDHC_PRNSTS:
+        ret = s->prnsts;
+        break;
+    case SDHC_HOSTCTL:
+        ret = s->hostctl | (s->pwrcon << 8) | (s->blkgap << 16) |
+              (s->wakcon << 24);
+        break;
+    case SDHC_CLKCON:
+        ret = s->clkcon | (s->timeoutcon << 16);
+        break;
+    case SDHC_NORINTSTS:
+        ret = s->norintsts | (s->errintsts << 16);
+        break;
+    case SDHC_NORINTSTSEN:
+        ret = s->norintstsen | (s->errintstsen << 16);
+        break;
+    case SDHC_NORINTSIGEN:
+        ret = s->norintsigen | (s->errintsigen << 16);
+        break;
+    case SDHC_ACMD12ERRSTS:
+        ret = s->acmd12errsts;
+        break;
+    case SDHC_CAPAREG:
+        ret = s->capareg;
+        break;
+    case SDHC_MAXCURR:
+        ret = s->maxcurr;
+        break;
+    case SDHC_ADMAERR:
+        ret =  s->admaerr;
+        break;
+    case SDHC_ADMASYSADDR:
+        ret = (uint32_t)s->admasysaddr;
+        break;
+    case SDHC_ADMASYSADDR + 4:
+        ret = (uint32_t)(s->admasysaddr >> 32);
+        break;
+    case SDHC_SLOT_INT_STATUS:
+        ret = (SD_HOST_SPECv2_VERS << 16) | sdhci_slotint(s);
+        break;
+    default:
+        ERRPRINT("bad %ub read: addr[0x%04x]\n", size, offset);
+        break;
+    }
+
+    ret >>= (offset & 0x3) * 8;
+    ret &= (1ULL << (size * 8)) - 1;
+    DPRINT_L2("read %ub: addr[0x%04x] -> %u(0x%x)\n", size, offset, ret, ret);
+    return ret;
+}
+
+static inline void sdhci_blkgap_write(SDHCIState *s, uint8_t value)
+{
+    if ((value & SDHC_STOP_AT_GAP_REQ) && (s->blkgap & SDHC_STOP_AT_GAP_REQ)) {
+        return;
+    }
+    s->blkgap = value & SDHC_STOP_AT_GAP_REQ;
+
+    if ((value & SDHC_CONTINUE_REQ) && s->stopped_state &&
+            (s->blkgap & SDHC_STOP_AT_GAP_REQ) == 0) {
+        if (s->stopped_state == sdhc_gap_read) {
+            s->prnsts |= SDHC_DAT_LINE_ACTIVE | SDHC_DOING_READ;
+            SDHCI_GET_CLASS(s)->read_block_from_card(s);
+        } else {
+            s->prnsts |= SDHC_DAT_LINE_ACTIVE | SDHC_DOING_WRITE;
+            SDHCI_GET_CLASS(s)->write_block_to_card(s);
+        }
+        s->stopped_state = sdhc_not_stopped;
+    } else if (!s->stopped_state && (value & SDHC_STOP_AT_GAP_REQ)) {
+        if (s->prnsts & SDHC_DOING_READ) {
+            s->stopped_state = sdhc_gap_read;
+        } else if (s->prnsts & SDHC_DOING_WRITE) {
+            s->stopped_state = sdhc_gap_write;
+        }
+    }
+}
+
+static inline void sdhci_reset_write(SDHCIState *s, uint8_t value)
+{
+    switch (value) {
+    case SDHC_RESET_ALL:
+        DEVICE_GET_CLASS(s)->reset(DEVICE(s));
+        break;
+    case SDHC_RESET_CMD:
+        s->prnsts &= ~SDHC_CMD_INHIBIT;
+        s->norintsts &= ~SDHC_NIS_CMDCMP;
+        break;
+    case SDHC_RESET_DATA:
+        s->data_count = 0;
+        s->prnsts &= ~(SDHC_SPACE_AVAILABLE | SDHC_DATA_AVAILABLE |
+                SDHC_DOING_READ | SDHC_DOING_WRITE |
+                SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE);
+        s->blkgap &= ~(SDHC_STOP_AT_GAP_REQ | SDHC_CONTINUE_REQ);
+        s->stopped_state = sdhc_not_stopped;
+        s->norintsts &= ~(SDHC_NIS_WBUFRDY | SDHC_NIS_RBUFRDY |
+                SDHC_NIS_DMA | SDHC_NIS_TRSCMP | SDHC_NIS_BLKGAP);
+        break;
+    }
+}
+
+static void
+sdhci_write(SDHCIState *s, unsigned int offset, uint32_t value, unsigned size)
+{
+    unsigned shift =  8 * (offset & 0x3);
+    uint32_t mask = ~(((1ULL << (size * 8)) - 1) << shift);
+    value <<= shift;
+
+    switch (offset & ~0x3) {
+    case SDHC_SYSAD:
+        s->sdmasysad = (s->sdmasysad & mask) | value;
+        MASKED_WRITE(s->sdmasysad, mask, value);
+        /* Writing to last byte of sdmasysad might trigger transfer */
+        if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
+                s->blksize && SDHC_DMA_TYPE(s->hostctl) == SDHC_CTRL_SDMA) {
+            SDHCI_GET_CLASS(s)->do_sdma_multi(s);
+        }
+        break;
+    case SDHC_BLKSIZE:
+        if (!TRANSFERRING_DATA(s->prnsts)) {
+            MASKED_WRITE(s->blksize, mask, value);
+            MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+        }
+        break;
+    case SDHC_ARGUMENT:
+        MASKED_WRITE(s->argument, mask, value);
+        break;
+    case SDHC_TRNMOD:
+        /* DMA can be enabled only if it is supported as indicated by
+         * capabilities register */
+        if (!(s->capareg & SDHC_CAN_DO_DMA)) {
+            value &= ~SDHC_TRNS_DMA;
+        }
+        MASKED_WRITE(s->trnmod, mask, value);
+        MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
+
+        /* Writing to the upper byte of CMDREG triggers SD command generation */
+        if ((mask & 0xFF000000) || !SDHCI_GET_CLASS(s)->can_issue_command(s)) {
+            break;
+        }
+
+        SDHCI_GET_CLASS(s)->send_command(s);
+        break;
+    case  SDHC_BDATA:
+        if (sdhci_buff_access_is_sequential(s, offset - SDHC_BDATA)) {
+            SDHCI_GET_CLASS(s)->bdata_write(s, value >> shift, size);
+        }
+        break;
+    case SDHC_HOSTCTL:
+        if (!(mask & 0xFF0000)) {
+            sdhci_blkgap_write(s, value >> 16);
+        }
+        MASKED_WRITE(s->hostctl, mask, value);
+        MASKED_WRITE(s->pwrcon, mask >> 8, value >> 8);
+        MASKED_WRITE(s->wakcon, mask >> 24, value >> 24);
+        if (!(s->prnsts & SDHC_CARD_PRESENT) || ((s->pwrcon >> 1) & 0x7) < 5 ||
+                !(s->capareg & (1 << (31 - ((s->pwrcon >> 1) & 0x7))))) {
+            s->pwrcon &= ~SDHC_POWER_ON;
+        }
+        break;
+    case SDHC_CLKCON:
+        if (!(mask & 0xFF000000)) {
+            sdhci_reset_write(s, value >> 24);
+        }
+        MASKED_WRITE(s->clkcon, mask, value);
+        MASKED_WRITE(s->timeoutcon, mask >> 16, value >> 16);
+        if (s->clkcon & SDHC_CLOCK_INT_EN) {
+            s->clkcon |= SDHC_CLOCK_INT_STABLE;
+        } else {
+            s->clkcon &= ~SDHC_CLOCK_INT_STABLE;
+        }
+        break;
+    case SDHC_NORINTSTS:
+        if (s->norintstsen & SDHC_NISEN_CARDINT) {
+            value &= ~SDHC_NIS_CARDINT;
+        }
+        s->norintsts &= mask | ~value;
+        s->errintsts &= (mask >> 16) | ~(value >> 16);
+        if (s->errintsts) {
+            s->norintsts |= SDHC_NIS_ERR;
+        } else {
+            s->norintsts &= ~SDHC_NIS_ERR;
+        }
+        sdhci_update_irq(s);
+        break;
+    case SDHC_NORINTSTSEN:
+        MASKED_WRITE(s->norintstsen, mask, value);
+        MASKED_WRITE(s->errintstsen, mask >> 16, value >> 16);
+        s->norintsts &= s->norintstsen;
+        s->errintsts &= s->errintstsen;
+        if (s->errintsts) {
+            s->norintsts |= SDHC_NIS_ERR;
+        } else {
+            s->norintsts &= ~SDHC_NIS_ERR;
+        }
+        sdhci_update_irq(s);
+        break;
+    case SDHC_NORINTSIGEN:
+        MASKED_WRITE(s->norintsigen, mask, value);
+        MASKED_WRITE(s->errintsigen, mask >> 16, value >> 16);
+        sdhci_update_irq(s);
+        break;
+    case SDHC_ADMAERR:
+        MASKED_WRITE(s->admaerr, mask, value);
+        break;
+    case SDHC_ADMASYSADDR:
+        s->admasysaddr = (s->admasysaddr & (0xFFFFFFFF00000000ULL |
+                (uint64_t)mask)) | (uint64_t)value;
+        break;
+    case SDHC_ADMASYSADDR + 4:
+        s->admasysaddr = (s->admasysaddr & (0x00000000FFFFFFFFULL |
+                ((uint64_t)mask << 32))) | ((uint64_t)value << 32);
+        break;
+    case SDHC_FEAER:
+        s->acmd12errsts |= value;
+        s->errintsts |= (value >> 16) & s->errintstsen;
+        if (s->acmd12errsts) {
+            s->errintsts |= SDHC_EIS_CMD12ERR;
+        }
+        if (s->errintsts) {
+            s->norintsts |= SDHC_NIS_ERR;
+        }
+        sdhci_update_irq(s);
+        break;
+    default:
+        ERRPRINT("bad %ub write offset: addr[0x%04x] <- %u(0x%x)\n",
+                size, offset, value >> shift, value >> shift);
+        break;
+    }
+    DPRINT_L2("write %ub: addr[0x%04x] <- %u(0x%x)\n",
+            size, offset, value >> shift, value >> shift);
+}
+
+static uint64_t
+sdhci_readfn(void *opaque, target_phys_addr_t offset, unsigned size)
+{
+    SDHCIState *s = (SDHCIState *)opaque;
+
+    return SDHCI_GET_CLASS(s)->mem_read(s, offset, size);
+}
+
+static void
+sdhci_writefn(void *opaque, target_phys_addr_t off, uint64_t val, unsigned sz)
+{
+    SDHCIState *s = (SDHCIState *)opaque;
+
+    SDHCI_GET_CLASS(s)->mem_write(s, off, val, sz);
+}
+
+static const MemoryRegionOps sdhci_mmio_ops = {
+    .read = sdhci_readfn,
+    .write = sdhci_writefn,
+    .valid = {
+        .min_access_size = 1,
+        .max_access_size = 4,
+        .unaligned = false
+    },
+    .endianness = DEVICE_LITTLE_ENDIAN,
+};
+
+static inline unsigned int sdhci_get_fifolen(SDHCIState *s)
+{
+    switch (SDHC_CAPAB_BLOCKSIZE(s->capareg)) {
+    case 0:
+        return 512;
+    case 1:
+        return 1024;
+    case 2:
+        return 2048;
+    default:
+        hw_error("SDHC: unsupported value for maximum block size\n");
+        return 0;
+    }
+}
+
+static void sdhci_initfn(Object *obj)
+{
+    SDHCIState *s = SDHCI(obj);
+    DriveInfo *di;
+
+    di = drive_get_next(IF_SD);
+    s->card = sd_init(di ? di->bdrv : NULL, 0);
+    s->eject_cb = qemu_allocate_irqs(sdhci_insert_eject_cb, s, 1)[0];
+    s->ro_cb = qemu_allocate_irqs(sdhci_card_readonly_cb, s, 1)[0];
+    sd_set_cb(s->card, s->ro_cb, s->eject_cb);
+
+    s->insert_timer = qemu_new_timer_ns(vm_clock, sdhci_raise_insertion_irq, s);
+}
+
+static void sdhci_uninitfn(Object *obj)
+{
+    SDHCIState *s = SDHCI(obj);
+
+    qemu_del_timer(s->insert_timer);
+    qemu_free_timer(s->insert_timer);
+    qemu_free_irqs(&s->eject_cb);
+    qemu_free_irqs(&s->ro_cb);
+
+    if (s->fifo_buffer) {
+        g_free(s->fifo_buffer);
+        s->fifo_buffer = NULL;
+    }
+}
+
+const VMStateDescription sdhci_vmstate = {
+    .name = "sdhci",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields      = (VMStateField[]) {
+        VMSTATE_UINT32(sdmasysad, SDHCIState),
+        VMSTATE_UINT16(blksize, SDHCIState),
+        VMSTATE_UINT16(blkcnt, SDHCIState),
+        VMSTATE_UINT32(argument, SDHCIState),
+        VMSTATE_UINT16(trnmod, SDHCIState),
+        VMSTATE_UINT16(cmdreg, SDHCIState),
+        VMSTATE_UINT32_ARRAY(rspreg, SDHCIState, 4),
+        VMSTATE_UINT32(prnsts, SDHCIState),
+        VMSTATE_UINT8(hostctl, SDHCIState),
+        VMSTATE_UINT8(pwrcon, SDHCIState),
+        VMSTATE_UINT8(blkgap, SDHCIState),
+        VMSTATE_UINT8(wakcon, SDHCIState),
+        VMSTATE_UINT16(clkcon, SDHCIState),
+        VMSTATE_UINT8(timeoutcon, SDHCIState),
+        VMSTATE_UINT8(admaerr, SDHCIState),
+        VMSTATE_UINT16(norintsts, SDHCIState),
+        VMSTATE_UINT16(errintsts, SDHCIState),
+        VMSTATE_UINT16(norintstsen, SDHCIState),
+        VMSTATE_UINT16(errintstsen, SDHCIState),
+        VMSTATE_UINT16(norintsigen, SDHCIState),
+        VMSTATE_UINT16(errintsigen, SDHCIState),
+        VMSTATE_UINT16(acmd12errsts, SDHCIState),
+        VMSTATE_UINT16(data_count, SDHCIState),
+        VMSTATE_UINT64(admasysaddr, SDHCIState),
+        VMSTATE_UINT8(stopped_state, SDHCIState),
+        VMSTATE_VBUFFER_UINT32(fifo_buffer, SDHCIState, 1, NULL, 0, buf_maxsz),
+        VMSTATE_TIMER(insert_timer, SDHCIState),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
+/* Capabilities registers provide information on supported features of this
+ * specific host controller implementation */
+static Property sdhci_properties[] = {
+    DEFINE_PROP_HEX32("capareg", SDHCIState, capareg,
+            SDHC_CAPAB_REG_DEFAULT),
+    DEFINE_PROP_HEX32("maxcurr", SDHCIState, maxcurr, 0),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+static int sdhci_realize(SysBusDevice *busdev)
+{
+    SDHCIState *s = SDHCI(busdev);
+
+    s->buf_maxsz = sdhci_get_fifolen(s);
+    s->fifo_buffer = g_malloc0(s->buf_maxsz);
+    sysbus_init_irq(busdev, &s->irq);
+    memory_region_init_io(&s->iomem, &sdhci_mmio_ops, s, "sdhci",
+            SDHC_REGISTERS_MAP_SIZE);
+    sysbus_init_mmio(busdev, &s->iomem);
+    return 0;
+}
+
+static void sdhci_generic_reset(DeviceState *ds)
+{
+    SDHCIState *s = SDHCI(ds);
+    SDHCI_GET_CLASS(s)->reset(s);
+}
+
+static void sdhci_class_init(ObjectClass *klass, void *data)
+{
+    DeviceClass *dc = DEVICE_CLASS(klass);
+    SysBusDeviceClass *sbdc = SYS_BUS_DEVICE_CLASS(klass);
+    SDHCIClass *k = SDHCI_CLASS(klass);
+
+    dc->vmsd = &sdhci_vmstate;
+    dc->props = sdhci_properties;
+    dc->reset = sdhci_generic_reset;
+    sbdc->init = sdhci_realize;
+
+    k->reset = sdhci_reset;
+    k->mem_read = sdhci_read;
+    k->mem_write = sdhci_write;
+    k->send_command = sdhci_send_command;
+    k->can_issue_command = sdhci_can_issue_command;
+    k->start_data_transfer = sdhci_start_transfer;
+    k->end_data_transfer = sdhci_end_transfer;
+    k->do_sdma_single = sdhci_sdma_transfer_single_block;
+    k->do_sdma_multi = sdhci_sdma_transfer_multi_blocks;
+    k->do_adma = sdhci_start_adma;
+    k->read_block_from_card = sdhci_read_block_from_card;
+    k->write_block_to_card = sdhci_write_block_to_card;
+    k->bdata_read = sdhci_read_dataport;
+    k->bdata_write = sdhci_write_dataport;
+}
+
+static const TypeInfo sdhci_type_info = {
+    .name = TYPE_SDHCI,
+    .parent = TYPE_SYS_BUS_DEVICE,
+    .instance_size = sizeof(SDHCIState),
+    .instance_init = sdhci_initfn,
+    .instance_finalize = sdhci_uninitfn,
+    .class_init = sdhci_class_init,
+    .class_size = sizeof(SDHCIClass)
+};
+
+static void sdhci_register_types(void)
+{
+    type_register_static(&sdhci_type_info);
+}
+
+type_init(sdhci_register_types)
diff --git a/hw/sdhci.h b/hw/sdhci.h
new file mode 100644
index 0000000..858db1b
--- /dev/null
+++ b/hw/sdhci.h
@@ -0,0 +1,309 @@ 
+/*
+ * SD Association Host Standard Specification v2.0 controller emulation
+ *
+ * Copyright (c) 2011 Samsung Electronics Co., Ltd.
+ * Mitsyanko Igor <i.mitsyanko@samsung.com>
+ * Peter A.G. Crosthwaite <peter.crosthwaite@petalogix.com>
+ *
+ * Based on MMC controller for Samsung S5PC1xx-based board emulation
+ * by Alexey Merkulov and Vladimir Monakhov.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef SDHCI_H
+#define SDHCI_H
+
+#include "qemu-common.h"
+#include "sysbus.h"
+#include "sd.h"
+
+/* R/W SDMA System Address register 0x0 */
+#define SDHC_SYSAD                     0x00
+
+/* R/W Host DMA Buffer Boundary and Transfer Block Size Register 0x0 */
+#define SDHC_BLKSIZE                   0x04
+
+/* R/W Blocks count for current transfer 0x0 */
+#define SDHC_BLKCNT                    0x06
+
+/* R/W Command Argument Register 0x0 */
+#define SDHC_ARGUMENT                  0x08
+
+/* R/W Transfer Mode Setting Register 0x0 */
+#define SDHC_TRNMOD                    0x0C
+#define SDHC_TRNS_DMA                  0x0001
+#define SDHC_TRNS_BLK_CNT_EN           0x0002
+#define SDHC_TRNS_ACMD12               0x0004
+#define SDHC_TRNS_READ                 0x0010
+#define SDHC_TRNS_MULTI                0x0020
+
+/* R/W Command Register 0x0 */
+#define SDHC_CMDREG                    0x0E
+#define SDHC_CMD_RSP_WITH_BUSY         (3 << 0)
+#define SDHC_CMD_DATA_PRESENT          (1 << 5)
+#define SDHC_CMD_SUSPEND               (1 << 6)
+#define SDHC_CMD_RESUME                (1 << 7)
+#define SDHC_CMD_ABORT                 ((1 << 6)|(1 << 7))
+#define SDHC_CMD_TYPE_MASK             ((1 << 6)|(1 << 7))
+#define SDHC_COMMAND_TYPE(x)           ((x) & SDHC_CMD_TYPE_MASK)
+
+/* ROC Response Register 0 0x0 */
+#define SDHC_RSPREG0                   0x10
+/* ROC Response Register 1 0x0 */
+#define SDHC_RSPREG1                   0x14
+/* ROC Response Register 2 0x0 */
+#define SDHC_RSPREG2                   0x18
+/* ROC Response Register 3 0x0 */
+#define SDHC_RSPREG3                   0x1C
+
+/* R/W Buffer Data Register 0x0 */
+#define SDHC_BDATA                     0x20
+
+/* R/ROC Present State Register 0x000A0000 */
+#define SDHC_PRNSTS                    0x24
+#define SDHC_CMD_INHIBIT               0x00000001
+#define SDHC_DATA_INHIBIT              0x00000002
+#define SDHC_DAT_LINE_ACTIVE           0x00000004
+#define SDHC_DOING_WRITE               0x00000100
+#define SDHC_DOING_READ                0x00000200
+#define SDHC_SPACE_AVAILABLE           0x00000400
+#define SDHC_DATA_AVAILABLE            0x00000800
+#define SDHC_CARD_PRESENT              0x00010000
+#define SDHC_CARD_DETECT               0x00040000
+#define SDHC_WRITE_PROTECT             0x00080000
+#define TRANSFERRING_DATA(x)           \
+    ((x) & (SDHC_DOING_READ | SDHC_DOING_WRITE))
+
+/* R/W Host control Register 0x0 */
+#define SDHC_HOSTCTL                   0x28
+#define SDHC_CTRL_DMA_CHECK_MASK       0x18
+#define SDHC_CTRL_SDMA                 0x00
+#define SDHC_CTRL_ADMA1_32             0x08
+#define SDHC_CTRL_ADMA2_32             0x10
+#define SDHC_CTRL_ADMA2_64             0x18
+#define SDHC_DMA_TYPE(x)               ((x) & SDHC_CTRL_DMA_CHECK_MASK)
+
+/* R/W Power Control Register 0x0 */
+#define SDHC_PWRCON                    0x29
+#define SDHC_POWER_ON                  (1 << 0)
+
+/* R/W Block Gap Control Register 0x0 */
+#define SDHC_BLKGAP                    0x2A
+#define SDHC_STOP_AT_GAP_REQ           0x01
+#define SDHC_CONTINUE_REQ              0x02
+
+/* R/W WakeUp Control Register 0x0 */
+#define SDHC_WAKCON                    0x2B
+#define SDHC_WKUP_ON_INS               (1 << 1)
+#define SDHC_WKUP_ON_RMV               (1 << 2)
+
+/* CLKCON */
+#define SDHC_CLKCON                    0x2C
+#define SDHC_CLOCK_INT_STABLE          0x0002
+#define SDHC_CLOCK_INT_EN              0x0001
+#define SDHC_CLOCK_SDCLK_EN            (1 << 2)
+#define SDHC_CLOCK_CHK_MASK            0x0007
+#define SDHC_CLOCK_IS_ON(x)            \
+    (((x) & SDHC_CLOCK_CHK_MASK) == SDHC_CLOCK_CHK_MASK)
+
+/* R/W Timeout Control Register 0x0 */
+#define SDHC_TIMEOUTCON                0x2E
+
+/* R/W Software Reset Register 0x0 */
+#define SDHC_SWRST                     0x2F
+#define SDHC_RESET_ALL                 0x01
+#define SDHC_RESET_CMD                 0x02
+#define SDHC_RESET_DATA                0x04
+
+/* ROC/RW1C Normal Interrupt Status Register 0x0 */
+#define SDHC_NORINTSTS                 0x30
+#define SDHC_NIS_ERR                   0x8000
+#define SDHC_NIS_CMDCMP                0x0001
+#define SDHC_NIS_TRSCMP                0x0002
+#define SDHC_NIS_BLKGAP                0x0004
+#define SDHC_NIS_DMA                   0x0008
+#define SDHC_NIS_WBUFRDY               0x0010
+#define SDHC_NIS_RBUFRDY               0x0020
+#define SDHC_NIS_INSERT                0x0040
+#define SDHC_NIS_REMOVE                0x0080
+#define SDHC_NIS_CARDINT               0x0100
+
+/* ROC/RW1C Error Interrupt Status Register 0x0 */
+#define SDHC_ERRINTSTS                 0x32
+#define SDHC_EIS_CMDTIMEOUT            0x0001
+#define SDHC_EIS_BLKGAP                0x0004
+#define SDHC_EIS_CMDIDX                0x0008
+#define SDHC_EIS_CMD12ERR              0x0100
+#define SDHC_EIS_ADMAERR               0x0200
+
+/* R/W Normal Interrupt Status Enable Register 0x0 */
+#define SDHC_NORINTSTSEN               0x34
+#define SDHC_NISEN_CMDCMP              0x0001
+#define SDHC_NISEN_TRSCMP              0x0002
+#define SDHC_NISEN_DMA                 0x0008
+#define SDHC_NISEN_WBUFRDY             0x0010
+#define SDHC_NISEN_RBUFRDY             0x0020
+#define SDHC_NISEN_INSERT              0x0040
+#define SDHC_NISEN_REMOVE              0x0080
+#define SDHC_NISEN_CARDINT             0x0100
+
+/* R/W Error Interrupt Status Enable Register 0x0 */
+#define SDHC_ERRINTSTSEN               0x36
+#define SDHC_EISEN_CMDTIMEOUT          0x0001
+#define SDHC_EISEN_BLKGAP              0x0004
+#define SDHC_EISEN_CMDIDX              0x0008
+#define SDHC_EISEN_ADMAERR             0x0200
+
+/* R/W Normal Interrupt Signal Enable Register 0x0 */
+#define SDHC_NORINTSIGEN               0x38
+#define SDHC_NORINTSIG_INSERT          (1 << 6)
+#define SDHC_NORINTSIG_REMOVE          (1 << 7)
+
+/* R/W Error Interrupt Signal Enable Register 0x0 */
+#define SDHC_ERRINTSIGEN               0x3A
+
+/* ROC Auto CMD12 error status register 0x0 */
+#define SDHC_ACMD12ERRSTS              0x3C
+
+/* HWInit Capabilities Register 0x05E80080 */
+#define SDHC_CAPAREG                   0x40
+#define SDHC_CAN_DO_DMA                0x00400000
+#define SDHC_CAN_DO_ADMA2              0x00080000
+#define SDHC_CAN_DO_ADMA1              0x00100000
+#define SDHC_64_BIT_BUS_SUPPORT        (1 << 28)
+#define SDHC_CAPAB_BLOCKSIZE(x)        (((x) >> 16) & 0x3)
+
+/* HWInit Maximum Current Capabilities Register 0x0 */
+#define SDHC_MAXCURR                   0x48
+
+/* W Force Event Auto CMD12 Error Interrupt Register 0x0000 */
+#define SDHC_FEAER                     0x50
+/* W Force Event Error Interrupt Register Error Interrupt 0x0000 */
+#define SDHC_FEERR                     0x52
+
+/* R/W ADMA Error Status Register 0x00 */
+#define SDHC_ADMAERR                   0x54
+#define SDHC_ADMAERR_LENGTH_MISMATCH   (1 << 2)
+#define SDHC_ADMAERR_STATE_ST_STOP     (0 << 0)
+#define SDHC_ADMAERR_STATE_ST_FDS      (1 << 0)
+#define SDHC_ADMAERR_STATE_ST_TFR      (3 << 0)
+#define SDHC_ADMAERR_STATE_MASK        (3 << 0)
+
+/* R/W ADMA System Address Register 0x00 */
+#define SDHC_ADMASYSADDR               0x58
+#define SDHC_ADMA_ATTR_SET_LEN         (1 << 4)
+#define SDHC_ADMA_ATTR_ACT_TRAN        (1 << 5)
+#define SDHC_ADMA_ATTR_ACT_LINK        (3 << 4)
+#define SDHC_ADMA_ATTR_INT             (1 << 2)
+#define SDHC_ADMA_ATTR_END             (1 << 1)
+#define SDHC_ADMA_ATTR_VALID           (1 << 0)
+#define SDHC_ADMA_ATTR_ACT_MASK        ((1 << 4)|(1 << 5))
+
+/* Slot interrupt status */
+#define SDHC_SLOT_INT_STATUS            0xFC
+
+/* HWInit Host Controller Version Register 0x0401 */
+#define SDHC_HCVER                      0xFE
+#define SD_HOST_SPECv2_VERS             0x2401
+
+#define SDHC_REGISTERS_MAP_SIZE         0x100
+#define SDHC_INSERTION_DELAY            (get_ticks_per_sec())
+#define SDHC_CMD_RESPONSE               (3 << 0)
+
+enum {
+    sdhc_not_stopped = 0, /* normal SDHC state */
+    sdhc_gap_read   = 1,  /* SDHC stopped at block gap during read operation */
+    sdhc_gap_write  = 2   /* SDHC stopped at block gap during write operation */
+};
+
+/* SD/MMC host controller state */
+typedef struct SDHCIState {
+    SysBusDevice busdev;
+    SDState *card;
+    MemoryRegion iomem;
+
+    QEMUTimer *insert_timer;       /* timer for 'changing' sd card. */
+    qemu_irq eject_cb;
+    qemu_irq ro_cb;
+    qemu_irq irq;
+
+    uint32_t sdmasysad;    /* SDMA System Address register */
+    uint16_t blksize;      /* Host DMA Buff Boundary and Transfer BlkSize Reg */
+    uint16_t blkcnt;       /* Blocks count for current transfer */
+    uint32_t argument;     /* Command Argument Register */
+    uint16_t trnmod;       /* Transfer Mode Setting Register */
+    uint16_t cmdreg;       /* Command Register */
+    uint32_t rspreg[4];    /* Response Registers 0-3 */
+    uint32_t prnsts;       /* Present State Register */
+    uint8_t  hostctl;      /* Host Control Register */
+    uint8_t  pwrcon;       /* Power control Register */
+    uint8_t  blkgap;       /* Block Gap Control Register */
+    uint8_t  wakcon;       /* WakeUp Control Register */
+    uint16_t clkcon;       /* Clock control Register */
+    uint8_t  timeoutcon;   /* Timeout Control Register */
+    uint8_t  admaerr;      /* ADMA Error Status Register */
+    uint16_t norintsts;    /* Normal Interrupt Status Register */
+    uint16_t errintsts;    /* Error Interrupt Status Register */
+    uint16_t norintstsen;  /* Normal Interrupt Status Enable Register */
+    uint16_t errintstsen;  /* Error Interrupt Status Enable Register */
+    uint16_t norintsigen;  /* Normal Interrupt Signal Enable Register */
+    uint16_t errintsigen;  /* Error Interrupt Signal Enable Register */
+    uint16_t acmd12errsts; /* Auto CMD12 error status register */
+    uint64_t admasysaddr;  /* ADMA System Address Register */
+
+    uint32_t capareg;      /* Capabilities Register */
+    uint32_t maxcurr;      /* Maximum Current Capabilities Register */
+    uint8_t  *fifo_buffer; /* SD host i/o FIFO buffer */
+    uint32_t buf_maxsz;
+    uint16_t data_count;   /* current element in FIFO buffer */
+    uint8_t  stopped_state;/* Current SDHC state */
+    /* Buffer Data Port Register - virtual access point to R and W buffers */
+    /* Software Reset Register - always reads as 0 */
+    /* Force Event Auto CMD12 Error Interrupt Reg - write only */
+    /* Force Event Error Interrupt Register- write only */
+    /* RO Host Controller Version Register always reads as 0x2401 */
+} SDHCIState;
+
+typedef struct SDHCIClass {
+    SysBusDeviceClass busdev_class;
+
+    void (*reset)(SDHCIState *s);
+    uint32_t (*mem_read)(SDHCIState *s, unsigned int offset, unsigned size);
+    void (*mem_write)(SDHCIState *s, unsigned int offset, uint32_t value,
+            unsigned size);
+    void (*send_command)(SDHCIState *s);
+    bool (*can_issue_command)(SDHCIState *s);
+    void (*start_data_transfer)(SDHCIState *s);
+    void (*end_data_transfer)(SDHCIState *s);
+    void (*do_sdma_single)(SDHCIState *s);
+    void (*do_sdma_multi)(SDHCIState *s);
+    void (*do_adma)(SDHCIState *s);
+    void (*read_block_from_card)(SDHCIState *s);
+    void (*write_block_to_card)(SDHCIState *s);
+    uint32_t (*bdata_read)(SDHCIState *s, unsigned size);
+    void (*bdata_write)(SDHCIState *s, uint32_t value, unsigned size);
+} SDHCIClass;
+
+extern const VMStateDescription sdhci_vmstate;
+
+#define TYPE_SDHCI            "sdhci"
+#define SDHCI(obj)            \
+     OBJECT_CHECK(SDHCIState, (obj), TYPE_SDHCI)
+#define SDHCI_CLASS(klass)    \
+     OBJECT_CLASS_CHECK(SDHCIClass, (klass), TYPE_SDHCI)
+#define SDHCI_GET_CLASS(obj)  \
+     OBJECT_GET_CLASS(SDHCIClass, (obj), TYPE_SDHCI)
+
+#endif /* SDHCI_H */