From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: firmware: qcom: Add a PAS TEE service
Date: Tue, 28 Apr 2026 14:49:23 +1000
Message-ID: <review-patch4-20260427095603.1157963-5-sumit.garg@kernel.org>
In-Reply-To: <20260427095603.1157963-5-sumit.garg@kernel.org>
References: <20260427095603.1157963-1-sumit.garg@kernel.org> <20260427095603.1157963-5-sumit.garg@kernel.org>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0

Patch Review

The TEE backend implementation using OP-TEE.

**`qcom_pas_tee_get_rsc_table()` -- `output_rt_size` may not be set.** When the first `tee_client_invoke_func` call returns with `param[1].u.memref.size == 0`, the function skips the second call and returns `NULL`. But `*output_rt_size` is never written in this path, leaving it with whatever the caller initialized it to. The caller in `qcom_q6v5_pas.c` passes `&output_rt_size` which is likely uninitialized. If the caller checks `output_rt_size` after getting a NULL return, it could use garbage. Consider initializing `*output_rt_size = 0` at the top of the function.

**`qcom_pas_tee_get_rsc_table()` -- first call has no shm but passes size.** The first invocation sets `param[1].u.memref.size = input_rt_size` but `param[1].u.memref.shm` is NULL (zeroed by the initializer). This seems like a protocol detail where the TEE-side uses the size parameter to report back the needed buffer size without actually reading from the memref. This is fine if the OP-TEE TA implements it that way, but should be documented.

**Copy-paste error in error message.** In `qcom_pas_tee_set_remote_state()`:
```c
dev_err(dev, "PAS shutdown failed, pas_id: %d, ret: %d, err: 0x%x\n",
```
The message says "shutdown" but this is the `set_remote_state` function. Should say "PAS set remote state failed".

**`qcom_pas_tee_auth_and_reset` ignores mem_phys/mem_size for non-context path.** Passing `0, 0` for `mem_phys` and `mem_size` when called from `qcom_pas_tee_auth_and_reset()` (without context) seems intentional but means the TEE-side must handle the case where no memory region is provided. Worth a comment.

**Kconfig: `default m if ARCH_QCOM`.** This means `QCOM_PAS_TEE` auto-enables on all Qualcomm platforms even if OP-TEE isn't being used. This might pull in unnecessary dependencies. Consider making it depend on user selection or a more specific config.

---
Generated by Claude Code Patch Reviewer