DF-0484
SYN-cookie crypto state global unsynchronized across netisr CPUs: racy MD5_CTX + tcp_secret[] defeats SYN-flood mitigation
Summary
static MD5_CTX syn_ctx(:1358) + tcp_secret[SYNCOOKIE_NSECRETS](:1351-1354) are single global no lock no per-CPU. syncookie_generate called from syncache_add(:1068) on every new entry when tcp_syncookies enabled(default). syncookie_lookup from syncache_expand(:914). TCP input runs per-CPU netisr, SYNs distributed across CPUs by mbuf hash. 2+ CPUs simultaneously MD5Init/Update/Final against SAME syn_ctx + read/write tcp_secret[idx] -> interleaving corrupts transform+secret. Generated cookie sc_iss(:1406-1425) and recomputed digest(:1442-1463) become garbage -> legitimate final ACKs rejected under flood when syncache overflows. Defeats SYN-cookie mitigation exactly when engaged. Fix: per-CPU tcp_secret+MD5_CTX or spinlock around crypto.