ath9k: fix a use-after-free-bug when ath_tx_setup_buffer() fails

ath9k: fix a use-after-free-bug when ath_tx_setup_buffer() fails

commit 81357a281dcc454841532c46b30e6f2ba12b73ea upstream.

ath_tx_setup_buffer() can fail if there is no ath_buf left, or if mapping DMA
failed. In this case it frees the skb passed to it.
If ath_tx_setup_buffer is called from ath_tx_form_aggr, the skb is still
linked into the tid buffer list and must be dequeued before being released.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>