Avoid use-after-free of circ belonging to cancelled job

This fixes a bug where we decide to free the circuit because it isn't on
any workqueue anymore, and then the job finishes and the circuit gets
freed again.

Fixes bug #14815, not in any released version of Tor.

src/or/cpuworker.c

@@ -556,8 +556,7 @@ cpuworker_cancel_circ_handshake(or_circuit_t *circ)
     tor_free(job);
     tor_assert(total_pending_tasks > 0);
     --total_pending_tasks;
-  }
-
     circ->workqueue_entry = NULL;
+  }
 }