fix: harden pause flow with connection isolation and UFFD event handling

Restructure pause to: block new operations (StatusPausing), drain proxy
connections with 5s grace, force-close remaining via context cancellation,
drop page cache, inflate balloon, then freeze vCPUs. Previously connections
could arrive during the pause window and API operations weren't blocked.

Handle UFFD_EVENT_REMOVE/UNMAP/REMAP/FORK gracefully instead of crashing
the UFFD server. These events fire during balloon deflation on snapshot
restore, killing the page fault handler and preventing VM boot.

Also adds ConnTracker.ForceClose() with cancellable context propagated
through the proxy handler, so lingering proxy connections are actively
terminated rather than left dangling.

internal/uffd/fd.go

@@ -29,6 +29,10 @@ import (
 
 const (
 	UFFD_EVENT_PAGEFAULT      = C.UFFD_EVENT_PAGEFAULT
+	UFFD_EVENT_FORK           = C.UFFD_EVENT_FORK
+	UFFD_EVENT_REMAP          = C.UFFD_EVENT_REMAP
+	UFFD_EVENT_REMOVE         = C.UFFD_EVENT_REMOVE
+	UFFD_EVENT_UNMAP          = C.UFFD_EVENT_UNMAP
 	UFFD_PAGEFAULT_FLAG_WRITE = C.UFFD_PAGEFAULT_FLAG_WRITE
 	UFFDIO_COPY               = C.UFFDIO_COPY
 	UFFDIO_COPY_MODE_WP       = C.UFFDIO_COPY_MODE_WP

internal/uffd/server.go

@@ -253,8 +253,17 @@ func (s *Server) serve(ctx context.Context, uffdFd fd, mapping *Mapping) error {
 		}
 
 		msg := *(*uffdMsg)(unsafe.Pointer(&buf[0]))
-		if getMsgEvent(&msg) != UFFD_EVENT_PAGEFAULT {
-			return fmt.Errorf("unexpected uffd event type: %d", getMsgEvent(&msg))
+		event := getMsgEvent(&msg)
+
+		switch event {
+		case UFFD_EVENT_PAGEFAULT:
+			// Handled below.
+		case UFFD_EVENT_REMOVE, UFFD_EVENT_UNMAP, UFFD_EVENT_REMAP, UFFD_EVENT_FORK:
+			// Non-fatal lifecycle events from the guest kernel (e.g. balloon
+			// deflation, mmap/munmap). No action needed — continue polling.
+			continue
+		default:
+			return fmt.Errorf("unexpected uffd event type: %d", event)
 		}
 
 		arg := getMsgArg(&msg)