fix(uffd): hold settle Lock across read+SetRange in serve loop

Serve loop previously took the lock only around SetRange after readEvents
returned. A snapshot-path goroutine could win the Lock race in the gap
between read and SetRange, exporting an incomplete Removed bitmap before
the serve loop applied the just-read events. Hold Lock across the read
itself so read+SetRange are atomic from any other goroutine's perspective.

Author: ValentaTomas

packages/orchestrator/pkg/sandbox/uffd/userfaultfd/userfaultfd.go

@@ -262,21 +262,22 @@ func (u *Userfaultfd) Serve(
 		var pagefaults []*UffdPagefault
 
 		if hasEvent(uffdFd.Revents, unix.POLLIN) {
+			// Hold Lock across read+SetRange so any goroutine that later
+			// acquires Lock (e.g. ExportPageStates) sees a tracker state
+			// where every read() event has been applied. Without this,
+			// the snapshot path could acquire Lock between read() and
+			// the SetRange below and Export an incomplete Removed bitmap.
+			u.settleRequests.Lock()
+
 			var err error
 			removes, pagefaults, err = u.readEvents(ctx)
 			if err != nil {
+				u.settleRequests.Unlock()
 				u.logger.Error(ctx, "uffd: read error", zap.Error(err))
 
 				return fmt.Errorf("failed to read: %w", err)
 			}
-		} else {
-			noDataCounter.Increase("POLLIN")
-		}
 
-		// REMOVE batch under write lock so an in-flight worker's SetRange(faulted)
-		// can't overwrite the removed state we are about to install.
-		if len(removes) > 0 {
-			u.settleRequests.Lock()
 			for _, rm := range removes {
 				// rm.start (inclusive) and rm.end (exclusive) are page-aligned
 				// to u.pageSize for the registered VMA (UFFD invariant), so
@@ -301,7 +302,10 @@ func (u *Userfaultfd) Serve(
 						zap.Uint64("start_idx", startIdx), zap.Uint64("end_idx", endIdx), zap.Error(err))
 				}
 			}
+
 			u.settleRequests.Unlock()
+		} else {
+			noDataCounter.Increase("POLLIN")
 		}
 
 		pagefaults = append(deferred.drain(), pagefaults...)