> +/**
> + * struct kfuzztest_simple_fuzzer_state - Global state for the KFTF module.
s/KFTF/KFuzzTest
> +
> + pr_info("KFuzzTest: registered target %s", targ->name);
> + }
> +
> + /* Taint the kernel after successfully creating the debugfs entries. */
> + add_taint(TAINT_TEST, LOCKDEP_STILL_OK);
Maybe elaborate a little that we taint the kernel because these entry
points allow calling (almost) arbitrary kernel code upon user request?
> + /* Patch pointers. */
> + for (i = 0; i < rt->num_entries; i++) {
> + re = rt->entries[i];
> + src = regions->regions[re.region_id];
> + ptr_location = (uintptr_t *)((char *)payload_start + src.offset + re.region_offset);
> + if (re.value == KFUZZTEST_REGIONID_NULL)
> + *ptr_location = (uintptr_t)NULL;
> + else if (re.value < regions->num_regions) {
> + dst = regions->regions[re.value];
> + *ptr_location = (uintptr_t)((char *)payload_start + dst.offset);
> + } else
> + return -EINVAL;
There should be braces around this return statement, see
https://www.kernel.org/doc/html/latest/process/coding-style.html#placing-braces-and-spaces.
> +
> +static bool kfuzztest_input_is_valid(struct reloc_region_array *regions, struct reloc_table *rt, void *payload_start,
> + void *payload_end)
> +{
> + size_t payload_size = (char *)payload_end - (char *)payload_start;
You seem to be casting payload_start and payload_end to char* almost
everywhere, maybe declare them as [unsigned] char * instead?
