buffer overflow issue after enabling MTE

[sj2202-park]

I encountered the crash issue when executing a model using the benchmark tool.

• Test env : Galaxy S26 with MTE(Memory Tagging Extension) on
• ML Framework : Tensorfow Lite
• Reproduction ratio : 100%

====================================================================
Cmdline: ./benchmark_model_dbg --graph=model.tflite
pid: 16173, ppid: 16167, tid: 16173, name: benchmark_model >>> ./benchmark_model_dbg <<<
uid: 0
tagged_addr_ctrl: 000000000007fff7 (PR_TAGGED_ADDR_ENABLE, PR_MTE_TCF_SYNC, PR_MTE_TCF_ASYNC, mask 0xfffe)
pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
esr: 0000000092000011 (Data Abort Exception 0x24)
signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0c0000774460d0c0 (read)
Cause: [MTE]: Buffer Overflow, 13 bytes right of a 5523-byte allocation at 0x774460bb20
x0 020000771460b36c x1 0c0000774460d0bc x2 0000000000000014 x3 09000075a4623990
x4 0c0000774460d0d0 x5 020000771460b380 x6 0000000000000000 x7 0000000000000000
x8 020000771460b36c x9 09000075a4623960 x10 0000000000000000 x11 0000000000000003
x12 0000000000000000 x13 0000000000000000 x14 00000008ba7b352c x15 0000000034155555
x16 0000005df4a8e5d0 x17 000000783b16ea40 x18 000000783f8c4000 x19 0000005df3aef060
x20 0000000000000002 x21 0000000000000002 x22 0000007ff9d52c28 x23 0000007ff9d52c38
x24 0000000000000000 x25 0000000000000000 x26 0000000000000000 x27 0000000000000000
x28 0000000000000000 x29 0000007ff9d4fef0
lr 0000005df47bcccc sp 0000007ff9d4fed0 pc 000000783b16ea64 pst 0000000020001000
esr 0000000092000011 vg 0000000000000002

20 total frames
backtrace:
#00 pc 00000000000a5a64 /apex/com.android.runtime/lib64/bionic/libc.so (__memmove_aarch64_nt+36) (BuildId: 3c40a3f379b085efaaa6d495d43b79ac)
#1 pc 00000000013c0cc8 /data/local/tmp/benchmark_model_dbg (xnn_xx_copy_ukernel__scalar_memcpy+184) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#2 pc 00000000013271b0 /data/local/tmp/benchmark_model_dbg (xnn_compute_univector_strided+140) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#3 pc 00000000015ef920 /data/local/tmp/benchmark_model_dbg (pthreadpool_parallelize_1d_tile_1d_dynamic+148) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#4 pc 0000000001329b20 /data/local/tmp/benchmark_model_dbg (xnn_run_operator_with_index+1136) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#5 pc 00000000012eed94 /data/local/tmp/benchmark_model_dbg (xnn_invoke_runtime+224) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#6 pc 000000000124e250 /data/local/tmp/benchmark_model_dbg (tflite::xnnpack::(anonymous namespace)::Subgraph::Invoke(TfLiteContext*, bool, tflite::xnnpack::(anonymous namespace)::Delegate*)+1928) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#7 pc 0000000001244e24 /data/local/tmp/benchmark_model_dbg (tflite::xnnpack::(anonymous namespace)::SubgraphInvoke(TfLiteContext*, TfLiteNode*)+120) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#8 pc 000000000128792c /data/local/tmp/benchmark_model_dbg (tflite::Subgraph::OpInvoke(TfLiteRegistration const&, TfLiteNode*)+348) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#9 pc 00000000012885c4 /data/local/tmp/benchmark_model_dbg (tflite::Subgraph::InvokeImpl()+1300) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#10 pc 0000000001288080 /data/local/tmp/benchmark_model_dbg (tflite::Subgraph::Invoke()+24) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#11 pc 000000000119d1b8 /data/local/tmp/benchmark_model_dbg (tflite::impl::Interpreter::Invoke()+124) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#12 pc 00000000006f5820 /data/local/tmp/benchmark_model_dbg (tflite::benchmark::BenchmarkInterpreterRunner::Invoke()+76) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#13 pc 00000000006ff034 /data/local/tmp/benchmark_model_dbg (tflite::benchmark::BenchmarkTfLiteModel::RunImpl()+28) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#14 pc 0000000000730268 /data/local/tmp/benchmark_model_dbg (tflite::benchmark::BenchmarkModel::Run(int, float, float, tflite::benchmark::RunType, TfLiteStatus*)+604) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#15 pc 0000000000730be8 /data/local/tmp/benchmark_model_dbg (tflite::benchmark::BenchmarkModel::Run()+1176) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#16 pc 00000000007306fc /data/local/tmp/benchmark_model_dbg (tflite::benchmark::BenchmarkModel::Run(int, char**)+96) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#17 pc 00000000006f2c0c /data/local/tmp/benchmark_model_dbg (tflite::benchmark::Main(int, char**)+140) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#18 pc 00000000006f3080 /data/local/tmp/benchmark_model_dbg (main+32) (BuildId: f70fa405d8e9f47545267648ab2f5657)
#19 pc 000000000006e984 /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+124) (BuildId: 3c40a3f379b085efaaa6d495d43b79ac)

Note: To display stack pointer information, use the pbtombstone tool:
pbtombstone --display-sp tombstone_XX.pb

Memory tags around the fault address (0xc0000774460d0c0), one tag per 16 bytes:
0x774460c800: c c c c c c c c c c c c c c c c
0x774460c900: c c c c c c c c c c c c c c c c
0x774460ca00: c c c c c c c c c c c c c c c c
0x774460cb00: c c c c c c c c c c c c c c c c
0x774460cc00: c c c c c c c c c c c c c c c c
0x774460cd00: c c c c c c c c c c c c c c c c
0x774460ce00: c c c c c c c c c c c c c c c c
0x774460cf00: c c c c c c c c c c c c c c c c
=>0x774460d000: c c c c c c c c c c c c [0] 0 0 0
0x774460d100: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0x774460d200: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0x774460d300: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0x774460d400: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0x774460d500: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0x774460d600: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3
0x774460d700: 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

====================================================================

Could you let me know if there's know issue regarding this one?
And please let me know how I can share the tflite model for your reference.

Thank you,
SangJun

[sj2202-park]

Unfortunately the issue is still reproduced even with the shared fix.
FYI no issue observed with "enable_subgraph_reshaping_" to "false" on the xnnpack_delegate.cc.

[Log with a fix]
--------- beginning of crash
04-19 17:01:55.694 24666 2466 F libc : Fatal signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x800007925a0c0c0 in tid 24666 (benchmark_model), pid 24666 (benchmark_model)
04-19 17:01:55.702 24564 24564 I [aw8624x_haptic][0441]aw8624x_play_stop: entered standby! glb_state=0x00
04-19 17:01:55.702 24669 24669 I crash_dump64: obtaining output fd from tombstoned, type: kDebuggerdTombstoneProto
04-19 17:01:55.702 1463 1463 I tombstoned: received crash request for pid 24666
04-19 17:01:55.702 24669 24669 I crash_dump64: performing dump of process 24666 (target tid = 24666)
04-19 17:01:55.720 24669 24669 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
04-19 17:01:55.720 24669 24669 F DEBUG : Build fingerprint: 'samsung/b8qsqw/b8q:17/CP2A.260330.003/F776USQU0AZD9_SE1_OYN0AZD9_SE1:userdebug/test-keys'
04-19 17:01:55.720 24669 24669 F DEBUG : Kernel Release: '6.12.58-android16-6-pe2c40bc-abogkiF776USQU0AZD9_SE1-4k'
04-19 17:01:55.720 24669 24669 F DEBUG : Revision: '8'
04-19 17:01:55.720 24669 24669 F DEBUG : ABI: 'arm64'
04-19 17:01:55.720 24669 24669 F DEBUG : Processor: '5'
04-19 17:01:55.720 24669 24669 F DEBUG : Timestamp: 2026-04-19 17:01:55.703882758+0900
04-19 17:01:55.720 24669 24669 F DEBUG : Process uptime: 1s
04-19 17:01:55.720 24669 24669 F DEBUG : Executable: /data/local/tmp/benchmark_model
04-19 17:01:55.720 24669 24669 F DEBUG : Cmdline: ./benchmark_model --graph=./model.tflite
04-19 17:01:55.720 24669 24669 F DEBUG : pid: 24666, ppid: 21102, tid: 24666, name: benchmark_model >>> ./benchmark_model <<<
04-19 17:01:55.720 24669 24669 F DEBUG : uid: 0
04-19 17:01:55.720 24669 24669 F DEBUG : tagged_addr_ctrl: 000000000007fff7 (PR_TAGGED_ADDR_ENABLE, PR_MTE_TCF_SYNC, PR_MTE_TCF_ASYNC, mask 0xfffe)
04-19 17:01:55.720 24669 24669 F DEBUG : pac_enabled_keys: 000000000000000f (PR_PAC_APIAKEY, PR_PAC_APIBKEY, PR_PAC_APDAKEY, PR_PAC_APDBKEY)
04-19 17:01:55.720 24669 24669 F DEBUG : esr: 0000000092000011 (Data Abort Exception 0x24)
04-19 17:01:55.720 24669 24669 F DEBUG : signal 11 (SIGSEGV), code 9 (SEGV_MTESERR), fault addr 0x0800007925a0c0c0 (read)
04-19 17:01:55.720 24669 24669 F DEBUG : Cause: [MTE]: Buffer Overflow, 13 bytes right of a 5523-byte allocation at 0x7925a0ab20
04-19 17:01:55.720 24669 24669 F DEBUG : x0 0400007945a0637c x1 0800007925a0c0bc x2 0000000000000014 x3 0500007a75a2ee60
04-19 17:01:55.720 24669 24669 F DEBUG : x4 0800007925a0c0d0 x5 0400007945a06390 x6 0000000000000000 x7 0000000000000000
04-19 17:01:55.720 24669 24669 F DEBUG : x8 0000000000000014 x9 0000000001080000 x10 0500007a75a2ee30 x11 0400007a55a10620
04-19 17:01:55.720 24669 24669 F DEBUG : x12 0000000000000000 x13 0000000000000000 x14 00000000000000bc x15 be378a4cbeecb13d
04-19 17:01:55.720 24669 24669 F DEBUG : x16 0000005c68c34bd0 x17 0000007bb5d4da40 x18 0000007bbf420000 x19 0500007a75a2ee30
04-19 17:01:55.720 24669 24669 F DEBUG : x20 0800007925a0c0bc x21 0400007945a0637c x22 0000000000000001 x23 0000000000000014
04-19 17:01:55.720 24669 24669 F DEBUG : x24 00000000000000d4 x25 0000005c685dd158 x26 0000000000000000 x27 0200007a95a101f0
04-19 17:01:55.720 24669 24669 F DEBUG : x28 0800007925a0abc0 x29 0000000000000019
04-19 17:01:55.720 24669 24669 F DEBUG : lr 0000005c68b06ba0 sp 0000007fcfffaac0 pc 0000007bb5d4da64 pst 0000000020001000
04-19 17:01:55.720 24669 24669 F DEBUG : esr 0000000092000011 vg 0000000000000002
04-19 17:01:55.720 24669 24669 F DEBUG : 14 total frames
04-19 17:01:55.721 24669 24669 F DEBUG : backtrace:
04-19 17:01:55.721 24669 24669 F DEBUG : #00 pc 00000000000a5a64 /apex/com.android.runtime/lib64/bionic/libc.so (__memmove_aarch64_nt+36) (BuildId: 3c40a3f379b085efaaa6d495d43b79ac)
04-19 17:01:55.721 24669 24669 F DEBUG : #1 pc 00000000005ceb9c /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #2 pc 00000000006819f4 /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #3 pc 00000000005d07a8 /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.723 1076 1076 I logd : logdr: UID=0 GID=0 PID=24669 n tail=500 logMask=8 pid=24666 start=0ns deadline=0ns
04-19 17:01:55.723 1076 1076 I logd : logdr: UID=0 GID=0 PID=24669 n tail=500 logMask=1 pid=24666 start=0ns deadline=0ns
04-19 17:01:55.721 24669 24669 F DEBUG : #4 pc 00000000005bab8c /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #5 pc 000000000057f0c0 /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #6 pc 000000000059f974 /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #7 pc 000000000059f2d0 /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #8 pc 000000000054b334 /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #9 pc 00000000001dc00c /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #10 pc 00000000001dd07c /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #11 pc 00000000001dc970 /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #12 pc 00000000001c31dc /data/local/tmp/benchmark_model (BuildId: 270e0e9e5a669c370f5f34f6e743ab5f)
04-19 17:01:55.721 24669 24669 F DEBUG : #13 pc 000000000006e984 /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+124) (BuildId: 3c40a3f379b085efaaa6d495d43b79ac)