Index: ioemu/vl.c
===================================================================
--- ioemu.orig/vl.c	2007-05-03 15:09:21.000000000 +0100
+++ ioemu/vl.c	2007-05-03 15:09:48.000000000 +0100
@@ -5923,6 +5923,7 @@
     int usb_devices_index;
     unsigned long ioreq_pfn;
     extern void *shared_page;
+    extern void *buffered_io_page;
     unsigned long nr_pages;
 
     char qemu_dm_logfilename[64];
@@ -6499,6 +6500,16 @@
         exit(-1);
     }
 
+    xc_get_hvm_param(xc_handle, domid, HVM_PARAM_BUFIOREQ_PFN, &ioreq_pfn);
+    fprintf(logfile, "buffered io page at pfn %lx\n", ioreq_pfn);
+    buffered_io_page = xc_map_foreign_range(xc_handle, domid, PAGE_SIZE,
+                                            PROT_READ|PROT_WRITE,
+                                            page_array[ioreq_pfn]);
+    if (buffered_io_page == NULL) {
+        fprintf(logfile, "map buffered IO page returned error %d\n", errno);
+        exit(-1);
+    }
+
     free(page_array);
 
 #elif defined(__ia64__)
Index: ioemu/target-i386-dm/helper2.c
===================================================================
--- ioemu.orig/target-i386-dm/helper2.c	2007-05-03 15:09:21.000000000 +0100
+++ ioemu/target-i386-dm/helper2.c	2007-05-03 15:10:03.000000000 +0100
@@ -78,6 +78,10 @@
 
 shared_iopage_t *shared_page = NULL;
 
+#define BUFFER_IO_MAX_DELAY  100
+buffered_iopage_t *buffered_io_page = NULL;
+QEMUTimer *buffered_io_timer;
+
 /* the evtchn fd for polling */
 int xce_handle = -1;
 
@@ -489,6 +493,72 @@
     req->data = tmp1;
 }
 
+void __handle_ioreq(CPUState *env, ioreq_t *req)
+{
+    if (!req->data_is_ptr && req->dir == IOREQ_WRITE && req->size != 4)
+	req->data &= (1UL << (8 * req->size)) - 1;
+
+    switch (req->type) {
+    case IOREQ_TYPE_PIO:
+        cpu_ioreq_pio(env, req);
+        break;
+    case IOREQ_TYPE_COPY:
+        cpu_ioreq_move(env, req);
+        break;
+    case IOREQ_TYPE_AND:
+        cpu_ioreq_and(env, req);
+        break;
+    case IOREQ_TYPE_ADD:
+        cpu_ioreq_add(env, req);
+        break;
+    case IOREQ_TYPE_SUB:
+        cpu_ioreq_sub(env, req);
+        break;
+    case IOREQ_TYPE_OR:
+        cpu_ioreq_or(env, req);
+        break;
+    case IOREQ_TYPE_XOR:
+        cpu_ioreq_xor(env, req);
+        break;
+    case IOREQ_TYPE_XCHG:
+        cpu_ioreq_xchg(env, req);
+        break;
+    case IOREQ_TYPE_TIMEOFFSET:
+        cpu_ioreq_timeoffset(env, req);
+        break;
+    default:
+        hw_error("Invalid ioreq type 0x%x\n", req->type);
+    }
+}
+
+void __handle_buffered_iopage(CPUState *env)
+{
+    ioreq_t *req = NULL;
+
+    if (!buffered_io_page)
+        return;
+
+    while (buffered_io_page->read_pointer !=
+           buffered_io_page->write_pointer) {
+        req = &buffered_io_page->ioreq[buffered_io_page->read_pointer %
+				       IOREQ_BUFFER_SLOT_NUM];
+
+        __handle_ioreq(env, req);
+
+        mb();
+        buffered_io_page->read_pointer++;
+    }
+}
+
+void handle_buffered_io(void *opaque)
+{
+    CPUState *env = opaque;
+
+    __handle_buffered_iopage(env);
+    qemu_mod_timer(buffered_io_timer, BUFFER_IO_MAX_DELAY +
+		   qemu_get_clock(rt_clock));
+}
+
 void cpu_handle_ioreq(void *opaque)
 {
     extern int vm_running;
@@ -496,43 +566,9 @@
     CPUState *env = opaque;
     ioreq_t *req = cpu_get_ioreq();
 
+    handle_buffered_io(env);
     if (req) {
-        if ((!req->data_is_ptr) && (req->dir == IOREQ_WRITE)) {
-            if (req->size != 4)
-                req->data &= (1UL << (8 * req->size))-1;
-        }
-
-        switch (req->type) {
-        case IOREQ_TYPE_PIO:
-            cpu_ioreq_pio(env, req);
-            break;
-        case IOREQ_TYPE_COPY:
-            cpu_ioreq_move(env, req);
-            break;
-        case IOREQ_TYPE_AND:
-            cpu_ioreq_and(env, req);
-            break;
-        case IOREQ_TYPE_ADD:
-            cpu_ioreq_add(env, req);
-            break;
-        case IOREQ_TYPE_SUB:
-            cpu_ioreq_sub(env, req);
-            break;
-        case IOREQ_TYPE_OR:
-            cpu_ioreq_or(env, req);
-            break;
-        case IOREQ_TYPE_XOR:
-            cpu_ioreq_xor(env, req);
-            break;
-        case IOREQ_TYPE_XCHG:
-            cpu_ioreq_xchg(env, req);
-            break;
-	case IOREQ_TYPE_TIMEOFFSET:
-            cpu_ioreq_timeoffset(env, req);
-            break;
-        default:
-            hw_error("Invalid ioreq type 0x%x\n", req->type);
-        }
+        __handle_ioreq(env, req);
 
         if (req->state != STATE_IOREQ_INPROCESS) {
             fprintf(logfile, "Badness in I/O request ... not in service?!: "
@@ -578,6 +614,10 @@
     int evtchn_fd = xc_evtchn_fd(xce_handle);
     char qemu_file[20];
 
+    buffered_io_timer = qemu_new_timer(rt_clock, handle_buffered_io,
+				       cpu_single_env);
+    qemu_mod_timer(buffered_io_timer, qemu_get_clock(rt_clock));
+
     qemu_set_fd_handler(evtchn_fd, cpu_handle_ioreq, NULL, env);
 
     while (!(vm_running && suspend_requested))
@@ -587,6 +627,7 @@
     fprintf(logfile, "device model received suspend signal!\n");
 
     /* Pull all outstanding ioreqs through the system */
+    handle_buffered_io(env);
     main_loop_wait(1); /* For the select() on events */
 
     /* Stop the IDE thread */
