qemu-mips crashes when a non-MAP_FIXED mmap syscall has a hint address near the top of the address space

Host environment

• Operating system: Ubuntu 25.10
• OS/kernel version: 6.17.0-14-generic
• Architecture: x86_64
• QEMU flavor: qemu-mips(n32)(el)
• QEMU version: 10.2.1
• QEMU command line: See below

Emulated/Virtualized environment

• Operating system: Linux
• OS/kernel version: N/A
• Architecture: mips(n32)(el)

Description of problem

qemu-mips crashes when a non-MAP_FIXED mmap syscall has a hint address near the top of the address space.

If the hint cannot be satisfied, it should simply be ignored.

Steps to reproduce

❯ bat bug.c
#include <sys/mman.h>
int main() { mmap((void *)0xfffff000, 1, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); }
❯ zig4 cc bug.c -target mips-linux-musleabihf
❯ qemu-mips a.out
qemu-mips: ../accel/tcg/user-exec.c:581: page_find_range_empty: Assertion `min <= max' failed.