mwifiex: fix adapter pointer dereference issue

It has introduced by recent commit 6b41f941: "mwifiex:
handle driver initialization error paths" which adds error
path handling for mwifiex_fw_dpc().

release_firmware(adapter->*) is called for success as well
as failure paths. In failure paths, adapter is already freed
at this point.

The issue is fixed by moving mwifiex_free_adapter() call.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

drivers/net/wireless/mwifiex/main.c

@@ -414,6 +414,8 @@ static void mwifiex_fw_dpc(const struct firmware *firmware, void *context)
 	struct mwifiex_private *priv;
 	struct mwifiex_adapter *adapter = context;
 	struct mwifiex_fw_image fw;
+	struct semaphore *sem = adapter->card_sem;
+	bool init_failed = false;
 
 	if (!firmware) {
 		dev_err(adapter->dev,
@@ -528,15 +530,20 @@ static void mwifiex_fw_dpc(const struct firmware *firmware, void *context)
 	}
 	adapter->surprise_removed = true;
 	mwifiex_terminate_workqueue(adapter);
-	mwifiex_free_adapter(adapter);
+	init_failed = true;
 done:
 	if (adapter->cal_data) {
 		release_firmware(adapter->cal_data);
 		adapter->cal_data = NULL;
 	}
+	if (adapter->firmware) {
 		release_firmware(adapter->firmware);
+		adapter->firmware = NULL;
+	}
 	complete(&adapter->fw_load);
-	up(adapter->card_sem);
+	if (init_failed)
+		mwifiex_free_adapter(adapter);
+	up(sem);
 	return;
 }