extra tor_free() for create_cell_t in command_process_create_cell()

In command_process_create_cell() (on master, as of commit da04fed8)

     memset(&created_cell, 0, sizeof(created_cell));
     len = onion_skin_server_handshake(ONION_HANDSHAKE_TYPE_FAST,
                                       create_cell->onionskin,
                                       create_cell->handshake_len,
                                       NULL,
                                       created_cell.reply,
                                       keys, CPATH_KEY_MATERIAL_LEN,
                                       rend_circ_nonce);
     tor_free(create_cell);
     if (len < 0) {
       log_warn(LD_OR,"Failed to generate key material. Closing.");
       circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
       tor_free(create_cell);
       return;
     }

Which is a double-free (somewhat dependent on what the PREDICT_LIKELY macro generates).

I haven't tested yet, but it might be possible to crash relays with this bug. We should probably patch this ASAP.