drivers/sesnros: fix crash because ipc buffer pointer used after free

When the ipc buffer is obtained for the first time due to insufficient space,
it waits due to insufficient ipc buffer.
At this time, if rptun recursively operates the next ipc request, the ipc buffer
will be reused, but it has been released at this time.

0  file_read (filep=filep@entry=0x20596738, buf=buf@entry=0x205d4358, nbytes=1560) at vfs/fs_read.c:86
1  sensor_rpmsg_push_event_one (dev=0x20558f70, dev@entry=0x2058fc80, stub=stub@entry=0x20596720) at sensors/sensor_rpmsg.c:799
2  sensor_rpmsg_alloc_stub (dev=dev@entry=0x2058fc80, ept=ept@entry=0x20558f08, cookie=<optimized out>) at sensors/sensor_rpmsg.c:552
3  sensor_rpmsg_sub_handler (ept=0x20558f08, data=0x204849c0, len=51, src=<optimized out>, priv=0x20558f00) at sensors/sensor_rpmsg.c:993
4  sensor_rpmsg_ept_cb (ept=<optimized out>, data=<optimized out>, len=<optimized out>, src=<optimized out>, priv=0x20558f00) at sensors/sensor_rpmsg.c:1186
5  rpmsg_virtio_rx_callback (vq=<optimized out>) at open-amp/lib/rpmsg/rpmsg_virtio.c:605
6  virtqueue_notification (vq=<optimized out>) at open-amp/lib/virtio/virtqueue.c:711
7  rproc_virtio_notified (vdev=vdev@entry=0x20558c98, notifyid=notifyid@entry=4294967295) at open-amp/lib/remoteproc/remoteproc_virtio.c:433
8  remoteproc_get_notification (rproc=rproc@entry=0x2054ff34, notifyid=notifyid@entry=4294967295) at open-amp/lib/remoteproc/remoteproc.c:1002
9  rptun_worker (arg=0x2054ff30) at rptun/rptun.c:339
10 rptun_notify_wait (rproc=<optimized out>, id=<optimized out>) at rptun/rptun.c:543
11 remoteproc_virtio_notify_wait (priv=<optimized out>, id=<optimized out>) at open-amp/lib/remoteproc/remoteproc.c:907
12 rproc_virtio_notify_wait (vdev=<optimized out>, vq=<optimized out>) at open-amp/lib/remoteproc/remoteproc_virtio.c:176
13 rpmsg_virtio_notify_wait (vq=<optimized out>, rvdev=0x2054ff78) at nuttx/include/openamp/rpmsg_virtio.h:162
14 rpmsg_virtio_get_tx_payload_buffer (rdev=0x2054ff78, len=0x20558f90, wait=<optimized out>) at open-amp/lib/rpmsg/rpmsg_virtio.c:404
15 rpmsg_get_tx_payload_buffer (ept=ept@entry=0x20558f08, len=len@entry=0x20558f90, wait=wait@entry=1) at open-amp/lib/rpmsg/rpmsg.c:207
16 sensor_rpmsg_push_event_one (dev=0x0, dev@entry=0x20590d60, stub=stub@entry=0x20596720) at sensors/sensor_rpmsg.c:783
17 sensor_rpmsg_alloc_stub (dev=dev@entry=0x20590d60, ept=ept@entry=0x20558f08, cookie=<optimized out>) at sensors/sensor_rpmsg.c:552
18 sensor_rpmsg_sub_handler (ept=0x20558f08, data=0x20483700, len=49, src=<optimized out>, priv=0x20558f00) at sensors/sensor_rpmsg.c:993
19 sensor_rpmsg_ept_cb (ept=<optimized out>, data=<optimized out>, len=<optimized out>, src=<optimized out>, priv=0x20558f00) at sensors/sensor_rpmsg.c:1186
20 rpmsg_virtio_rx_callback (vq=<optimized out>) at open-amp/lib/rpmsg/rpmsg_virtio.c:605
21 virtqueue_notification (vq=<optimized out>) at open-amp/lib/virtio/virtqueue.c:711
22 rproc_virtio_notified (vdev=vdev@entry=0x20558c98, notifyid=notifyid@entry=4294967295) at open-amp/lib/remoteproc/remoteproc_virtio.c:433
23 remoteproc_get_notification (rproc=0x2054ff34, rproc, notifyid=notifyid@entry=4294967295)
24 rptun_worker (arg=0x2054ff30) at rptun/rptun.c:339
25 rptun_thread (argc=<optimized out>, argv=<optimized out>) at rptun/rptun.c:375

Signed-off-by: dongjiuzhu1 <dongjiuzhu1@xiaomi.com>

drivers/sensors/sensor_rpmsg.c

@@ -833,6 +833,7 @@ static void sensor_rpmsg_push_event_one(FAR struct sensor_rpmsg_dev_s *dev,
           if (sre->buffer)
             {
               rpmsg_send_nocopy(&sre->ept, sre->buffer, sre->written);
+              sre->buffer = NULL;
             }
 
           msg = rpmsg_get_tx_payload_buffer(&sre->ept, &sre->space, true);