wgengine/magicsock: fix magicsock deadlock around Conn.NoteRecvActivity (#16687)

Updates #16651
Updates tailscale/corp#30836

Signed-off-by: Jordan Whited <[email protected]>

tailcfg/tailcfg.go

@@ -167,7 +167,8 @@ type CapabilityVersion int
 //   - 120: 2025-07-15: Client understands peer relay disco messages, and implements peer client and relay server functions
 //   - 121: 2025-07-19: Client understands peer relay endpoint alloc with [disco.AllocateUDPRelayEndpointRequest] & [disco.AllocateUDPRelayEndpointResponse]
 //   - 122: 2025-07-21: Client sends Hostinfo.ExitNodeID to report which exit node it has selected, if any.
-const CurrentCapabilityVersion CapabilityVersion = 122
+//   - 123: 2025-07-28: fix deadlock regression from cryptokey routing change (issue #16651)
+const CurrentCapabilityVersion CapabilityVersion = 123
 
 // ID is an integer ID for a user, node, or login allocated by the
 // control plane.

wgengine/magicsock/magicsock.go

@@ -4119,8 +4119,11 @@ func (le *lazyEndpoint) InitiationMessagePublicKey(peerPublicKey [32]byte) {
 		return
 	}
 	le.c.mu.Lock()
-	defer le.c.mu.Unlock()
 	ep, ok := le.c.peerMap.endpointForNodeKey(pubKey)
+	// [Conn.mu] must not be held while [Conn.noteRecvActivity] is called, which
+	// [endpoint.noteRecvActivity] can end up calling. See
+	// [Options.NoteRecvActivity] docs.
+	le.c.mu.Unlock()
 	if !ok {
 		return
 	}