Fix in6_multi double free

This is actually several different bugs:

• The code is not designed to handle inpcb deletion after interface deletion
  • add reference for inpcb membership
• The multicast address has to be removed from interface lists when the refcount goes to zero OR when the interface goes away
  • decouple list disconnect from refcount (v6 only for now)
• ifmultiaddr can exist past being on interface lists
  • add flag for tracking whether or not it's enqueued
• deferring freeing moptions makes the incpb cleanup code simpler but opens the door wider still to races
  • call inp_gcmoptions synchronously after dropping the the inpcb lock

Fundamentally multicast needs a rewrite - but keep applying band-aids for now.

Tested by: kp
Reported by: novel, kp, lwhsu