diff --git a/xen-hvm.c b/xen-hvm.c
index 124ae10b5d..0892361cc2 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -997,6 +997,7 @@ static int handle_buffered_iopage(XenIOState *state)
     memset(&req, 0x00, sizeof(req));
     req.state = STATE_IOREQ_READY;
     req.count = 1;
+    req.dir = IOREQ_WRITE;
 
     for (;;) {
         uint32_t rdptr = buf_page->read_pointer, wrptr;
@@ -1014,7 +1015,6 @@ static int handle_buffered_iopage(XenIOState *state)
         req.size = 1U << buf_req->size;
         req.addr = buf_req->addr;
         req.data = buf_req->data;
-        req.dir = buf_req->dir;
         req.type = buf_req->type;
         xen_rmb();
         qw = (req.size == 8);
@@ -1031,10 +1031,12 @@ static int handle_buffered_iopage(XenIOState *state)
         handle_ioreq(state, &req);
 
         /* Only req.data may get updated by handle_ioreq(), albeit even that
-         * should not happen as such data would never make it to the guest.
+         * should not happen as such data would never make it to the guest (we
+         * can only usefully see writes here after all).
          */
         assert(req.state == STATE_IOREQ_READY);
         assert(req.count == 1);
+        assert(req.dir == IOREQ_WRITE);
         assert(!req.data_is_ptr);
 
         atomic_add(&buf_page->read_pointer, qw + 1);