Hi David,
I have followed your steps in debugging this memory leak (madwifi r3314 patched by openwrt), and made the same conclusion: ref_node  and unref_node are not called properly. In fact, when i try the create/up/down/destroy loop, the last ref count is always 1, not 0 as I expect.
As you said, there is probably a bug in ieee80211_reset_bss, when ref_node is called but the next unref don't seem to be called.
So I've try a quick and dirty patch, calling unref after the KASSERT:

        vap->iv_bss = ieee80211_ref_node(ni);
        KASSERT((atomic_read(&vap->iv_bss->ni_refcnt) == 3),
                ("wrong refcount for new node."));

Now testing loop create/up/down/destroy all the nodes allocated are freed. I've try it in master and managed mode for a couple of days, without oops or panic.
I know is a "blind patch" and I hope there is a better way to fix this, so please let me know if you have some news about it, thanks.