fix(uffd): re-read page state inside worker goroutine under settleRequests.RLock

The Serve() loop previously read pageTracker state and captured
`source = u.src` in the parent loop, then dispatched a worker
goroutine. A REMOVE event for the same page that arrived between the
state read and the worker actually acquiring settleRequests.RLock()
would silently leave the worker with a stale `source = u.src`
snapshot. The worker would then UFFDIO_COPY src bytes into a page the
kernel had just MADV_DONTNEED'd, leaving pageTracker == removed and
the kernel page mapped with stale src data — and observably
deadlocking parent madvise() in the orchestrator unit-test suite.

Move the state lookup and source capture inside the goroutine, after
RLock(). The read+act+commit sequence is now atomic with respect to
the REMOVE batch (which takes settleRequests.Lock()).

Makes the three deterministic race tests added in the parent PR pass:
  - TestStaleSourceRaceMissingAndRemove (the one that intentionally
    failed on the parent PR with `page 1 first byte: want 0 ... got 0xc3`)
  - TestNoMadviseDeadlockWithInflightCopy (already passed; now stays green)
  - TestFaultedShortCircuitOrdering (already passed; now stays green)

Soak: -count=20 -timeout=30s passes deterministically on this branch.

Author: ValentaTomas

packages/orchestrator/pkg/sandbox/uffd/userfaultfd/userfaultfd.go

@@ -323,36 +323,38 @@ func (u *Userfaultfd) Serve(
 				return fmt.Errorf("failed to map: %w", err)
 			}
 
-			// State read happens before the worker takes settleRequests.RLock,
-			// so a REMOVE arriving in the parent's next iteration can race
-			// with an already-scheduled worker. Tracked as a known race; fix
-			// re-reads state under RLock in the worker.
-			var source block.Slicer
-			switch state := u.pageTracker.get(addr); state {
-			case faulted:
-				// Already mapped (prefault or earlier fault in this batch).
-				// Only a UFFD_EVENT_REMOVE can transition out of `faulted`;
-				// the used pages must not be swappable for this to hold.
-				continue
-			case removed:
-				// Zero-fill: source stays nil.
-			case missing:
-				source = u.src
-			default:
-				return fmt.Errorf("unexpected pageState: %#v", state)
-			}
-
 			u.wg.Go(func() error {
 				if h := u.testFaultHook.Load(); h != nil {
 					(*h)(addr, faultPhaseBeforeRLock)
 				}
 
-				// RLock inside the goroutine so RUnlock runs via defer even on
-				// early return, and so it pairs with the prefetchTracker write
-				// below.
+				// RLock must be inside the goroutine so RUnlock runs via defer.
+				// The state read below MUST happen after RLock: the read+act+commit
+				// sequence (state lookup → faultPage → setState(faulted)) must be
+				// atomic with any concurrent REMOVE batch (settleRequests.Lock()).
+				// A state read in the parent loop would leave a window where a REMOVE
+				// lands after the read but before RLock, and the worker would
+				// overwrite `removed` with `faulted`.
 				u.settleRequests.RLock()
 				defer u.settleRequests.RUnlock()
 
+				var source block.Slicer
+
+				switch state := u.pageTracker.get(addr); state {
+				case faulted:
+					// Already mapped; only UFFD_EVENT_REMOVE transitions out of
+					// faulted. Pages must not be swappable for this to hold.
+					return nil
+				case removed:
+					// Zero-fill. The kernel still expects an UFFDIO_COPY/ZEROPAGE
+					// ack for the original MISSING fault, otherwise the faulting
+					// thread stays blocked.
+				case missing:
+					source = u.src
+				default:
+					return fmt.Errorf("unexpected pageState: %#v", state)
+				}
+
 				var accessType block.AccessType
 				if pf.flags&UFFD_PAGEFAULT_FLAG_WRITE == 0 {
 					accessType = block.Read