arch/arm/arm_dispatch_syscall: fix callee-saved reg corruption in protected

arm_dispatch_syscall in armv7-m clobbered r11 with 'mov r11, sp' and the
user-space callee-saved register value leaked back through the exception
frame when SYS_syscall_return restored the context, resulting in corrupted
parameters on subsequent syscalls and system hangs in protected builds.

In armv6-m, r4 was used to load g_stublookup (Thumb-1 cannot use ip for
indexed addressing) but was not restored before SYS_syscall_return,
causing the same class of register corruption.

Fix with minimal changes:
  - armv7-m: remove 'mov r11, sp' to stop clobbering user r11
  - armv6-m: restore r4 from the stack frame before SYS_syscall_return

Signed-off-by: buxiasen <buxiasen@xiaomi.com>

Author: jasonbu

arch/arm/src/armv6-m/arm_dispatch_syscall.S

@@ -89,6 +89,7 @@ arm_dispatch_syscall:
 	lsl r0, r0, #2                             /* R0=Offset of the stub for this syscall */
 	ldr r4, [r4, r0]                           /* R4=Address of the stub for this syscall */
 	blx r4                                     /* Call the stub (modifies lr) */
+	ldr r4, [sp, #0]                           /* Restore r4 */
 	add sp, sp, #32                            /* Destroy the stack frame */
 	mov r2, r0                                 /* R2=Save return value in R2 */
 	mov r0, SYS_syscall_return                 /* R0=SYS_syscall_return */

arch/arm/src/armv7-m/arm_dispatch_syscall.S

@@ -78,9 +78,8 @@
 arm_dispatch_syscall:
 	.cfi_sections	.debug_frame
 	.cfi_startproc
-	mov r11, sp
-	.cfi_register sp, r11
 	sub	sp, sp, #32
+	.cfi_def_cfa_offset 32
 	str	r4, [sp, #0]
 	.cfi_offset r4, 0
 	str	r5, [sp, #4]