ipsec: fix a panic with INVARIANTS

When adding an SPD entry that already exists, a refcount wraparound
panic is encountered. This was caused from dropping a reference on the
wrong security policy.

Fixes:          4920e38fec ("ipsec: fix race condition in key.c")
Reviewed by:	wma
Sponsored by:   Klara Inc.
Differential Revision:	https://reviews.freebsd.org/D33100

sys/netipsec/key.c

@@ -2039,7 +2039,7 @@ key_spdadd(struct socket *so, struct mbuf *m, const struct sadb_msghdr *mhp)
 				__func__, oldsp));
 			KEYDBG(KEY_DATA, kdebug_secpolicy(oldsp));
 		} else {
-			key_freesp(&newsp);
+			key_freesp(&oldsp);
 			ipseclog((LOG_DEBUG,
 			    "%s: a SP entry exists already.\n", __func__));
 			return (key_senderror(so, m, EEXIST));