DF-0320
Reorder buffer rxa_m[] mutated without dedicated lock: RX races timer flush and ADDBA re-init (double-free/UAF)
Summary
ieee80211_rx_ampdu rxa_m[64] accessed by 3 contexts with no per-rap lock: RX ieee80211_ampdu_reorder(:780/:908), node-age callout ampdu_rx_flush(:1125/:1151 frees mbufs), ADDBA ampdu_rx_start(:540/:553 purge+memset). Code littered with XXX locking(:1819,:1842). Remote peer interleaves A-MPDU + ADDBA -> double-free/UAF mbuf corruption.