Call ifmedia_removeall () after ether_ifdetach () to prevent access to uninitialized data.
Looks good to me (with the suggested change). If I understand correctly, the crash happens when ng_eiface_mediastatus (which dereferences ifm->ifm_cur) is called after ifmedia_removeall (which sets ifm->ifm_cur = NULL, but before ether_ifdetach.
|628 ↗||(On Diff #70940)|
Move the ifmedia_removeall before if_free, because the ifmedia callbacks need to access ifp, and so in theory the callbacks may be called after if_free and before ifmedia_removeall, resulting in a crash (if lucky).