broker: fix use-after-free segfault

Problem: on Ubuntu 22.04, t0014-runlevel.t triggers a segfault
when it runs the broker with broker.rc3_path=/bin/false.

If a module has not been fully unloaded by the time modhash_destroy()
is called, the module's context could be destroyed before its service
entry is removed.  Then a disconnect message sent when another module
context is destroyed may cause the destroyed module context to be
dereferenced.

Add code to ensure the service hash is removed when the module is
destroyed, if that hasn't happened already.

Fixes #4564.

Author: garlick

src/broker/module.c

@@ -379,6 +379,15 @@ static void module_destroy (module_t *p)
     if (p->t) {
         if ((e = pthread_join (p->t, &res)) != 0)
             log_errn_exit (e, "pthread_cancel");
+        if (p->status != FLUX_MODSTATE_EXITED) {
+            /* Calls broker.c module_status_cb() => service_remove_byuuid()
+             * and releases a reference on 'p'.  Without this, disconnect
+             * requests sent when other modules are destroyed can still find
+             * this service name and trigger a use-after-free segfault.
+             * See also: flux-framework/flux-core#4564.
+             */
+            module_set_status (p, FLUX_MODSTATE_EXITED);
+        }
     }
 
     /* Send disconnect messages to services used by this module.