(Note this patch series does not work so far and needs some help, read on ...) Patches 1 & 2 are general cleanup. The rest of the patches aim to add fuzzing support for Passt using AFL++, Clang and ASAN. I used the same approach as with libnbd: https://gitlab.com/nbdkit/libnbd/-/tree/master/fuzzing Firstly (patch 3) I added an --fd option. This is useful for fuzzing, but also generally useful. It allows a controller process to open a connected stream socket and pass that down to passt via inheritance. Uses outside fuzzing include: having the controlling process open the socket with elevated privleges, and allowing alternate address families to be used (eg. vsock or IB). Unfortunately I don't think the --fd option is working. stracing the code shows the socket being added to the epoll, but it somehow never gets read. It might be something obvious but I couldn't see what was wrong. (NB: The socket passed in is *connected* already). Patch 4 adds the fuzzing wrapper. The purpose of the wrapper is to allow AFL to submit test cases to passt as local files. It works by creating a socketpair(2), forking and execing passt in the parent: (parent) passt -f -e -1 --fd <sock> | ^ | | (child) | input file V /dev/null The child reads the input file (test case) from the command line and pushes it into the socket, while discarding anything written by passt. IOW the child takes the place of qemu. With all patches applied you can test the wrapper alone using: $ ./fuzz-wrapper testcase_dir/empty_tap You will see that it currently hangs which it should not do, and I suspect the problem is related to the implementation of --fd as the wrapper is old and well-tested code. Rich.