netvsp: adding libfuzz tests to validate packet processing and event handling

[erfrimod]

Adding fuzz tests for netvsp's processing of RNDIS messages, OIDS, traffic, and the handling of various external signals. Protocol structs and enums have been modified to derive Arbitrary crate. A bit of test code was refactored so that the fuzz tests could leverage it. Created a .dict, wrote up a markdown file, and created two xtasks for running the netvsp fuzz tests.

Fuzz tests added:

• fuzz_netvsp_interop - combination of actions from the other fuzz tests
• fuzz_netvsp_control - NetVSP control messages
• fuzz_netvsp_oid - RNDIS OID query + set
• fuzz_netvsp_tx_path - synthetic datapath send
• fuzz_netvsp_rx_path - synthetic datapath receive
• fuzz_netvsp_link_status - link up/down
• fuzz_netvsp_vf_state - VF association, and datapath switch
• fuzz_netvsp_subchannel - subchannel allocation
• fuzz_netvsp_save_restore - NIC save + restore

High-value Bugs Fixed - Worker panics on guest provided input:

• Unexpected packet type kills worker
• Invalid RNDIS packet completion kills worker
• Packet parse failure kills worker
• Failed RNDIS control message kills worker
• Config parameter parsing panics on non-digit byte
• Zero-size RSS indirection table (division by zero)
• Receive buffer write overflow (out-of-bounds page write)
• close() panics on out-of-range channel index

Medium-value Bugs Fixed

• max_subchannels() off-by-one
• RxBufferRanges::new() arithmetic underflow

Low-value Bugs Fixed - Invalid state

• Invalid save state is supplied, restore fails
• Invalid send/receive buffers are provided, initialization fails
• MTU/sub-allocation not validated during queue restart
• RxBuffers::allocate() accepts empty/OOB buffer IDs
• enable_channels() accepts counts exceeding event vector

 Per-File Coverage
----------------------------------------------

  buffers.rs                                116 /  153 lines ( 75.8%)  8/11 fn (72.7%)
  lib.rs                                   3054 / 3529 lines ( 86.5%)  205/218 fn (94.0%)
  protocol.rs                                 0 /    9 lines (  0.0%)  0/3 fn (0.0%)
  resolver.rs                                 0 /    2 lines (  0.0%)  0/1 fn (0.0%)
  rndisprot.rs                               85 /  147 lines ( 57.8%)  20/36 fn (55.6%)
  rx_bufs.rs                                 74 /   78 lines ( 94.9%)  11/11 fn (100.0%)
  saved_state.rs                             11 /   11 lines (100.0%)  3/3 fn (100.0%)

[Copilot]

Pull request overview

Adds a dedicated libFuzzer-based fuzzing suite for the netvsp device (NVSP/RNDIS control + datapath + subchannels + VF + save/restore), along with supporting harness/mocks, docs, and xtask helpers. In support of fuzzing (and to fix issues found by it), the PR also hardens several netvsp packet/state-machine paths against malformed inputs and refactors some test utilities for reuse.

Changes:

• Introduces a new fuzz_netvsp fuzz crate with 9 fuzz targets, shared helpers/mocks, and a NetVSP/RNDIS mutation dictionary.
• Adds cargo xtask fuzz netvsp (campaign runner) and cargo xtask fuzz netvsp-coverage (merged coverage collection) commands plus Guide documentation.
• Updates netvsp internals to be fuzz-friendly (Arbitrary derives, public modules under a feature) and fixes multiple crash/panic paths via validation + error handling.

Reviewed changes

Copilot reviewed 32 out of 33 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
xtask/src/tasks/fuzz/netvsp.rs	New xtask implementation for running a multi-target NetVSP fuzz campaign and collecting merged coverage.
xtask/src/tasks/fuzz/mod.rs	Wires new netvsp / netvsp-coverage subcommands into xtask fuzz CLI.
vm/devices/vmbus/vmbus_channel/src/channel.rs	Adds validation for subchannel enable count vs event vector length to avoid invalid state.
vm/devices/net/netvsp/src/test_helpers.rs	New shared helpers for unit tests + fuzz harness (guest rings + async channel wiring).
vm/devices/net/netvsp/src/test.rs	Refactors existing test code to use the new reusable test_helpers.
vm/devices/net/netvsp/src/saved_state.rs	Adds Arbitrary support for saved-state types; supplies manual Arbitrary impls where needed.
vm/devices/net/netvsp/src/rx_bufs.rs	Improves RX buffer allocation validation (empty / OOB IDs) and error reporting.
vm/devices/net/netvsp/src/rndisprot.rs	Makes protocol types Arbitrary-derivable and adjusts dead-code lint handling for fuzz/test builds.
vm/devices/net/netvsp/src/protocol.rs	Adds Arbitrary derives for NVSP protocol types used by fuzz targets.
vm/devices/net/netvsp/src/lib.rs	Exposes internal modules under feature flags for fuzzing; hardens packet processing / restore paths based on fuzz findings.
vm/devices/net/netvsp/src/buffers.rs	Prevents receive-buffer OOB writes by adding bounds checks and non-panicking handling.
vm/devices/net/netvsp/fuzz/netvsp_rndis.dict	Shared libFuzzer dictionary for NVSP/RNDIS versions, message types, OIDs, and edge values.
vm/devices/net/netvsp/fuzz/fuzz_netvsp_vf_state.rs	New VF/SR-IOV state-machine fuzz target.
vm/devices/net/netvsp/fuzz/fuzz_netvsp_tx_path.rs	New TX datapath fuzz target (RNDIS packet messages, PPIs, send-buffer path, completions).
vm/devices/net/netvsp/fuzz/fuzz_netvsp_subchannel.rs	New subchannel + multi-queue fuzz target using a multi-channel mock VMBus.
vm/devices/net/netvsp/fuzz/fuzz_netvsp_save_restore.rs	New save/restore fuzz target (arbitrary restore + snapshot mutation modes).
vm/devices/net/netvsp/fuzz/fuzz_netvsp_rx_path.rs	New RX path fuzz target (loopback + edge-case frame sizes + interleaved control).
vm/devices/net/netvsp/fuzz/fuzz_netvsp_oid.rs	New OID query/set fuzz target (structured + raw OID traffic).
vm/devices/net/netvsp/fuzz/fuzz_netvsp_link_status.rs	New fuzz target for link-status/restart signaling via endpoint actions.
vm/devices/net/netvsp/fuzz/fuzz_netvsp_control.rs	New fuzz target for NVSP control messages + raw packet types + control flooding.
vm/devices/net/netvsp/fuzz/fuzz_helpers/vmbus.rs	Mock VMBus implementations (multi-channel offers + restore handling) for fuzz harness.
vm/devices/net/netvsp/fuzz/fuzz_helpers/vf.rs	Fuzzer-controlled VirtualFunction implementation for VF state fuzzing.
vm/devices/net/netvsp/fuzz/fuzz_helpers/nic_setup.rs	Reusable NIC setup/teardown and subchannel opening logic for fuzz targets.
vm/devices/net/netvsp/fuzz/fuzz_helpers/endpoint.rs	Fuzzable endpoint wrapper supporting RX injection, action injection, and TX error injection.
vm/devices/net/netvsp/fuzz/Cargo.toml	New fuzz crate manifest (targets + allowlist metadata + dependencies).
vm/devices/net/netvsp/fuzz/.gitignore	Ignores local fuzz logs.
vm/devices/net/netvsp/Cargo.toml	Adds test/arbitrary features and optional arbitrary dependency to support fuzzing.
Guide/src/dev_guide/tests/fuzzing/netvsp.md	New Guide page documenting NetVSP fuzzing design, targets, mocks, and xtask usage.
Guide/src/SUMMARY.md	Adds NetVSP fuzzing page to the Guide navigation.
Cargo.toml	Adds the NetVSP fuzz crate to the workspace members list.
Cargo.lock	Lockfile updates for the new fuzz crate and new optional dependency usage.

[Copilot]

Pull request overview

Copilot reviewed 32 out of 33 changed files in this pull request and generated 4 comments.