The TAILQ_INSERT_TAIL(head, elm, field) macro is being called as follows in the function _node_table_join:
TAILQ_INSERT_TAIL(&nt->nt_node, ieee80211_ref_node(ni), ni_list);
so in each place the (elm) will occur the preprocessor puts ieee80211_ref_node(ni).
This makes the function references the node not once but 5 times.
Then the code in ieee80211_auth_open function:
1289 if (ni == vap->iv_bss) {
1290 ni = ieee80211_dup_bss(vap, wh->i_addr2, 0);
1291 if (ni == NULL)
1292 return;
1293
1294 IEEE80211_DPRINTF(vap, IEEE80211_MSG_NODE,
1295 "%s: %p<%s> refcnt %d\n", __func__, ni, ether_sprintf(ni->ni_macaddr),
1296 ieee80211_node_refcnt(ni));
1297 tmpnode = 1;
1298 }
1299
1300 IEEE80211_SEND_MGMT(ni, IEEE80211_FC0_SUBTYPE_AUTH, seq + 1);
1301 IEEE80211_NOTE(vap, IEEE80211_MSG_DEBUG | IEEE80211_MSG_AUTH,
1302 ni, "station authenticated (%s)", "open");
1303 /*
1304 * When 802.1x is not in use mark the port
1305 * authorized at this point so traffic can flow.
1306 */
1307 if (ni->ni_authmode != IEEE80211_AUTH_8021X)
1308 ieee80211_node_authorize(ni);
1309 if (tmpnode)
1310 ieee80211_unref_node(&ni);
will create the temporary node, but this node will not be freed because the refcount value will be 6, so the ieee80211_unref_node simply reduce it to 5 and exit.
