Bits 10 and 11 of the offset are not checked for being zero
when the offset is converted from a 64-bit byte count to a
32-bit page count.  The low 12 bits are discarded, but only
the low 10 bits (and the top 20 bits) are checked for being zero.

Here is version info and demonstration of the bug:
-----
$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
$ uname -a
Linux buffalo 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown
$ gdb /lib/libc.so.6
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(gdb) x/20i mmap64
0xafc20 <__mmap64>:     push   %ebp
0xafc21 <__mmap64+1>:   push   %ebx
0xafc22 <__mmap64+2>:   push   %esi
0xafc23 <__mmap64+3>:   push   %edi
0xafc24 <__mmap64+4>:   mov    0x28(%esp,1),%edx
0xafc28 <__mmap64+8>:   mov    0x2c(%esp,1),%ecx
0xafc2c <__mmap64+12>:  test   $0x3ff,%edx         # test bottom 10 bits
0xafc32 <__mmap64+18>:  jne    0xafc6b <__mmap64+75>
0xafc34 <__mmap64+20>:  shrd   $0xc,%ecx,%edx      \  discard bottom 12
bits
0xafc38 <__mmap64+24>:  shr    $0xc,%ecx           /
0xafc3b <__mmap64+27>:  jne    0xafc6b <__mmap64+75>    # test top 20 bits
0xafc3d <__mmap64+29>:  mov    %edx,%ebp
0xafc3f <__mmap64+31>:  mov    0x14(%esp,1),%ebx
0xafc43 <__mmap64+35>:  mov    0x18(%esp,1),%ecx
0xafc47 <__mmap64+39>:  mov    0x1c(%esp,1),%edx
0xafc4b <__mmap64+43>:  mov    0x20(%esp,1),%esi
0xafc4f <__mmap64+47>:  mov    0x24(%esp,1),%edi
0xafc53 <__mmap64+51>:  mov    $0xc0,%eax
0xafc58 <__mmap64+56>:  int    $0x80
0xafc5a <__mmap64+58>:  pop    %edi
-----