--- libmalloc/libmalloc-792.60.6/src/early_malloc.c
+++ libmalloc/libmalloc-715.120.13/src/early_malloc.c
@@ -47,9 +47,7 @@
 #if MALLOC_TARGET_EXCLAVES || MALLOC_TARGET_EXCLAVES_INTROSPECTOR
 #define MFM_ARENA_SIZE      (1ul << 20)
 #else
-// Originally this was set to 8M: we shrank it down to 4M to accomodate for
-// the guarded range reservation (as the arena was heavily underused anyway).
-#define MFM_ARENA_SIZE      (4ul << 20)
+#define MFM_ARENA_SIZE      (8ul << 20)
 #endif /* MALLOC_TARGET_EXCLAVES || MALLOC_TARGET_EXCLAVES_INTROSPECTOR */
 #define MFM_QUANTUM         16ul
 #define MFM_SIZE_CLASSES    (__builtin_ctz(MFM_ALLOC_SIZE_MAX / MFM_QUANTUM) + 1)
@@ -159,9 +157,6 @@
 #define mfmh_freelist       mfm_header.mfm_freelist
 
 static struct mfm_arena    *mfm_arena;
-#if CONFIG_MTE
-static bool mfm_memtag_enabled = false;
-#endif // CONFIG_MTE
 
 #pragma mark validation and helper functions
 
@@ -535,23 +530,6 @@
 #endif
 }
 
-#if CONFIG_MTE
-/*!
- * @function __mfm_block_fixup_ptr()
- *
- * @brief
- * Loads the tag for a given block pointer, and returns the
- * tagged pointer.
- *
- * @discussion
- * This must be called with mfm_memtag_enabled set to true.
- */
-static struct mfm_block *
-__mfm_block_fixup_ptr(struct mfm_block *blk)
-{
-	return (struct mfm_block *)memtag_fixup_ptr((uint8_t *)blk);
-}
-#endif // CONFIG_MTE
 
 /*!
  * @function __mfm_block_insert_head()
@@ -573,12 +551,6 @@
 	offs = __mfm_block_offset(arena, blk);
 	next_blk = &arena->mfm_base[next];
 
-#if CONFIG_MTE
-	if (mfm_memtag_enabled) {
-		blk = __mfm_block_fixup_ptr(blk);
-		next_blk = __mfm_block_fixup_ptr(next_blk);
-	}
-#endif // CONFIG_MTE
 
 	blk->mfmb_prev = head;
 	__mfm_block_set_next(blk, next);
@@ -598,22 +570,11 @@
 	uint64_t next, prev;
 	struct mfm_block *next_blk, *prev_blk;
 
-#if CONFIG_MTE
-	if (mfm_memtag_enabled) {
-		blk = __mfm_block_fixup_ptr(blk);
-	}
-#endif // CONFIG_MTE
 
 	next = __mfm_block_next(blk);
 	prev = blk->mfmb_prev;
 	next_blk = &arena->mfm_base[next];
 	prev_blk = &arena->mfm_base[prev];
-#if CONFIG_MTE
-	if (mfm_memtag_enabled) {
-		next_blk = __mfm_block_fixup_ptr(next_blk);
-		prev_blk = __mfm_block_fixup_ptr(prev_blk);
-	}
-#endif // CONFIG_MTE
 	next_blk->mfmb_prev = prev;
 	__mfm_block_set_next(prev_blk, next);
 	__builtin_bzero(blk, sizeof(struct mfm_block));
@@ -690,26 +651,8 @@
 	debug_flags = DISABLE_ASLR | MALLOC_ADD_GUARD_PAGE_FLAGS;
 #endif // MALLOC_TARGET_EXCLAVES
 
-#if CONFIG_MTE
-	// Tie the enablement of memory tagging support in MFM to
-	// malloc_has_sec_transition: we rely on mfm_initialize
-	// being called *after* this has been setup by malloc proper.
-	mfm_memtag_enabled = malloc_has_sec_transition;
-#if MALLOC_TARGET_EXCLAVES
-	if (mfm_memtag_enabled) {
-		debug_flags |= MALLOC_MTE_TAGGABLE;
-	}
-#else
-	mfm_memtag_enabled =
-			mfm_memtag_enabled && malloc_sec_transition_early_malloc_support;
-
-	if (mfm_memtag_enabled) {
-		alloc_flags |= VM_FLAGS_MTE;
-	}
-#endif // !MALLOC_TARGET_EXCLAVES
-#endif // CONFIG_MTE
-
-	/* this is called early, which means the address space _does_ have 4M */
+
+	/* this is called early, which means the address space _does_ have 8M */
 	arena = mvm_allocate_pages_plat(MFM_ARENA_SIZE, 0, debug_flags,
 			VM_MEMORY_MALLOC, mvm_plat_map(map));
 	if (arena == NULL) {
@@ -770,9 +713,6 @@
 	struct mfm_arena *arena = os_atomic_load(&mfm_arena, dependency);
 	size_t index;
 
-#if CONFIG_MTE
-	ptr = memtag_strip_address((void *)ptr);
-#endif // CONFIG_MTE
 
 	if (!__mfm_address_owned(arena, ptr)) {
 		return 0ul;
@@ -871,14 +811,6 @@
 #endif
 	__mfm_unlock(arena);
 
-#if CONFIG_MTE
-	// Set the tag for the block we are returning to the caller.
-	if (mfm_memtag_enabled) {
-		ptr = memtag_assign_tag(ptr, size * MFM_QUANTUM);
-		// Blocks from the early arena may have arbitrary 16B-alignment
-		memtag_set_tag_unaligned(ptr, size * MFM_QUANTUM);
-	}
-#endif // CONFIG_MTE
 
 	return ptr;
 }
@@ -894,9 +826,6 @@
 	dprintf(STDERR_FILENO, "{ -1, %p },\n", ptr);
 #endif
 
-#if CONFIG_MTE
-	addr = memtag_strip_address((void *)ptr);
-#endif // CONFIG_MTE
 
 	if (!__mfm_address_owned(arena, addr)) {
 		MFM_INTERNAL_CRASH(ptr, "not MFM owned");
@@ -908,14 +837,6 @@
 	}
 	size = __mfm_block_size(arena, index);
 
-#if CONFIG_MTE
-	// Retag the block we are freeing.
-	if (mfm_memtag_enabled) {
-		ptr = memtag_assign_tag(ptr, MFM_QUANTUM * size);
-		// Blocks from the early arena may have arbitrary 16B-alignment
-		memtag_set_tag_unaligned(ptr, MFM_QUANTUM * size);
-	}
-#endif // CONFIG_MTE
 
 	bzero(ptr, MFM_QUANTUM * size);
 
@@ -967,31 +888,7 @@
 {
 	struct mfm_arena *arena = os_atomic_load(&mfm_arena, dependency);
 
-#if CONFIG_MTE
-	// After checking that this pointer belongs to us, verify that the logical
-	// tag of the pointer matches the physical tag stored in memory. If that is
-	// not the case, report this pointer as not claimed.
-	//
-	// The layers above us (xzone and malloc proper) rely on this behaviour.
-	// This is required to properly handle (i.e. fail) the lookup of a pointer
-	// with a mismatching tag: in the free() and realloc() paths, the dispatch
-	// layer (malloc proper) will try to validate the tag of the pointer, and
-	// raise a fatal exception if it doesn't match the tag stored in memory.
-	//
-	// Note: we need to validate the tag after ensuring that we own the
-	// pointer, otherwise we might incur in passing complete garbage to ldg,
-	// which would lead to a crash even in paths that need to possibly operate
-	// on completely invalid pointers (e.g. malloc_size()).
-	bool claimed = __mfm_address_owned(arena, memtag_strip_address(ptr));
-	if (claimed && mfm_memtag_enabled) {
-		if (!memtag_tags_match(ptr, memtag_fixup_ptr(ptr))) {
-			return false;
-		}
-	}
-	return claimed;
-#else
 	return __mfm_address_owned(arena, ptr);
-#endif
 }
 
 void *