diff --git a/mm/mmap.c b/mm/mmap.c
index 971d0ed..e94afde 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1244,6 +1244,171 @@ unacct_error:
 	return error;
 }
 
+/**
+ * mmap_io_region - map an I/O region, creating a new VMA if necessary
+ * @file: file to account mapping against
+ * @addr: user address to map
+ * @len: size of mapping
+ * @flags: mmap flags
+ * @vm_flags: VM protection bits
+ * @pgoff: pfn of backing pages
+ * @accountable: account for these pages?
+ *
+ * Normally drivers can simply override ->mmap and use remap_pfn_range
+ * themselves, but if remapping needs to be done in other functions (say ioctl)
+ * some function has to provide VMA allocation & linking services, thus
+ * this function.
+ */
+unsigned long mmap_io_region(struct file *file, unsigned long addr,
+			     unsigned long len, unsigned long flags,
+			     unsigned int vm_flags, unsigned long pgoff,
+			     int accountable)
+{
+	struct mm_struct *mm = current->mm;
+	struct vm_area_struct *vma, *prev;
+	int correct_wcount = 0;
+	int error;
+	struct rb_node **rb_link, *rb_parent;
+	unsigned long charged = 0;
+	struct inode *inode =  file ? file->f_path.dentry->d_inode : NULL;
+
+	/* Clear old maps */
+	error = -ENOMEM;
+munmap_back:
+	vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
+	if (vma && vma->vm_start < addr + len) {
+		if (do_munmap(mm, addr, len))
+			return -ENOMEM;
+		goto munmap_back;
+	}
+
+	/* Check against address space limit. */
+	if (!may_expand_vm(mm, len >> PAGE_SHIFT))
+		return -ENOMEM;
+
+	if (flags & MAP_NORESERVE)
+		vm_flags |= VM_NORESERVE;
+
+	if (accountable && (!(flags & MAP_NORESERVE) ||
+			    sysctl_overcommit_memory == OVERCOMMIT_NEVER)) {
+		if (vm_flags & VM_SHARED) {
+			/* Check memory availability in shmem_file_setup? */
+			vm_flags |= VM_ACCOUNT;
+		} else if (vm_flags & VM_WRITE) {
+			/*
+			 * Private writable mapping: check memory availability
+			 */
+			charged = len >> PAGE_SHIFT;
+			if (security_vm_enough_memory(charged))
+				return -ENOMEM;
+			vm_flags |= VM_ACCOUNT;
+		}
+	}
+
+	printk(KERN_ERR "%s: using vma %p\n", __FUNCTION__, vma);
+
+	/*
+	 * Determine the object being mapped and call the appropriate
+	 * specific mapper. the address has already been validated, but
+	 * not unmapped, but the maps are removed from the list.
+	 */
+	vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
+	if (!vma) {
+		error = -ENOMEM;
+		goto unacct_error;
+	}
+
+	vma->vm_mm = mm;
+	vma->vm_start = addr;
+	vma->vm_end = addr + len;
+	vma->vm_flags = vm_flags;
+	vma->vm_page_prot = vm_get_page_prot(vm_flags);
+	vma->vm_pgoff = pgoff;
+
+	error = -EINVAL;
+	if (vm_flags & (VM_GROWSDOWN|VM_GROWSUP))
+		goto free_vma;
+	if (vm_flags & VM_DENYWRITE) {
+		error = deny_write_access(file);
+		if (error)
+			goto free_vma;
+		correct_wcount = 1;
+	}
+
+	get_file(file);
+	printk(KERN_ERR "remap_pfn_range(%p, 0x%lx, 0x%lx, 0x%lx, 0x%lx)\n",
+	       vma, vma->vm_start, vma->vm_pgoff, len, vma->vm_page_prot);
+	error = remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff, len,
+				vma->vm_page_prot);
+	if (error)
+		goto unmap_and_free_vma;
+	if (vm_flags & VM_EXECUTABLE)
+		added_exe_file_vma(mm);
+
+	/* We set VM_ACCOUNT in a shared mapping's vm_flags, to inform
+	 * shmem_zero_setup (perhaps called through /dev/zero's ->mmap)
+	 * that memory reservation must be checked; but that reservation
+	 * belongs to shared memory object, not to vma: so now clear it.
+	 */
+	if ((vm_flags & (VM_SHARED|VM_ACCOUNT)) == (VM_SHARED|VM_ACCOUNT))
+		vma->vm_flags &= ~VM_ACCOUNT;
+
+	/* Can addr have changed??
+	 *
+	 * Answer: Yes, several device drivers can do it in their
+	 *         f_op->mmap method. -DaveM
+	 */
+	addr = vma->vm_start;
+	pgoff = vma->vm_pgoff;
+	vm_flags = vma->vm_flags;
+
+	if (vma_wants_writenotify(vma))
+		vma->vm_page_prot = vm_get_page_prot(vm_flags & ~VM_SHARED);
+
+	if (file && vma_merge(mm, prev, addr, vma->vm_end,
+			vma->vm_flags, NULL, file, pgoff, vma_policy(vma))) {
+		mpol_put(vma_policy(vma));
+		kmem_cache_free(vm_area_cachep, vma);
+		fput(file);
+		if (vm_flags & VM_EXECUTABLE)
+			removed_exe_file_vma(mm);
+	} else {
+		vma_link(mm, vma, prev, rb_link, rb_parent);
+		file = vma->vm_file;
+	}
+
+	/* Once vma denies write, undo our temporary denial count */
+	if (correct_wcount)
+		atomic_inc(&inode->i_writecount);
+
+	mm->total_vm += len >> PAGE_SHIFT;
+	vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
+	if (vm_flags & VM_LOCKED) {
+		mm->locked_vm += len >> PAGE_SHIFT;
+		make_pages_present(addr, addr + len);
+	}
+	if ((flags & MAP_POPULATE) && !(flags & MAP_NONBLOCK))
+		make_pages_present(addr, addr + len);
+	return addr;
+
+unmap_and_free_vma:
+	if (correct_wcount)
+		atomic_inc(&inode->i_writecount);
+	vma->vm_file = NULL;
+	fput(file);
+
+	/* Undo any partial mapping done by a device driver. */
+	unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
+	charged = 0;
+free_vma:
+	kmem_cache_free(vm_area_cachep, vma);
+unacct_error:
+	if (charged)
+		vm_unacct_memory(charged);
+	return error;
+}
+EXPORT_SYMBOL(mmap_io_region);
+
 /* Get an address range which is currently unmapped.
  * For shmat() with addr=0.
  *