A USB device claiming to be an "rsu" wlan device can produce a firmware event frame of type R92S_EVT_ADDBA_REQ_REPORT with an 8-bit ba->tid value of whatever it wants, including e.g. 255. if_rsu.c's rsu_event_addba_req_report() calls: ieee80211_ampdu_rx_start_ext(ni, ba->tid, le16toh(ba->ssn) >> 4, 32); And (as noted) that function uses tid w/o a sanity check: ieee80211_ampdu_rx_start_ext(struct ieee80211_node *ni, int tid, int seq, int baw) { struct ieee80211_rx_ampdu *rap; /* XXX TODO: sanity check tid, seq, baw */ rap = &ni->ni_rx_ampdu[tid]; ni_rx_ampdu[] has only 16 entries, so rap, which is written through, points to somewhere it shouldn't. #0 ieee80211_ampdu_rx_start_ext (ni=0xffffffc094cdb000, tid=255, seq=<optimized out>, baw=<optimized out>) at /usr/rtm/symbsd/src/sys/net80211/ieee80211_ht.c:732 #1 0xffffffc0002839a8 in rsu_event_addba_req_report (sc=0xffffffc001731000, buf=<optimized out>, len=13332) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2173 #2 rsu_rx_event (sc=0xffffffc001731000, buf=<optimized out>, code=<optimized out>, len=<optimized out>) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2234 #3 rsu_rx_multi_event (sc=0xffffffc001731000, buf=0xffffffc094c7b018 "\0244\031", len=30696) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2266 #4 rsu_rxeof (xfer=<optimized out>, data=<optimized out>) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2545 #5 rsu_bulk_rx_callback (xfer=0xffffffc094ccb148, error=<optimized out>) at /usr/rtm/symbsd/src/sys/dev/usb/wlan/if_rsu.c:2569 #6 0xffffffc000259b7e in usbd_callback_wrapper (pq=<optimized out>) at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2482 #7 0xffffffc00025acbe in usb_command_wrapper (pq=0xffffffc094ccb060, xfer=<optimized out>) at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:3188 #8 0xffffffc000259d22 in usb_callback_proc (_pm=<optimized out>) at /usr/rtm/symbsd/src/sys/dev/usb/usb_transfer.c:2345 (gdb) print tid $1 = 255 (gdb) print sizeof(ni->ni_rx_ampdu) / sizeof(ni->ni_rx_ampdu[0]) $2 = 16