udp: Fix a inpcb refcount leak in the tunnel receive path

When the socket has a tunneling function attached, udp_append() drops
the inpcb lock before calling it. To keep the inpcb alive, we bump the
refcount. After commit 742e7210d00b we only dropped the reference if
the tunnel consumed the packet, but it needs to be dropped in either
case. if_ovpn is the only driver that can trigger this bug.

Fixes: 742e7210d00b ("udp: allow udp_tun_func_t() to indicate it did not eat the packet")
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51505

(cherry picked from commit e1751ef896119d7372035b1b60f18a6342bd0e3b)