media: v4l2-core: only zero-out ioctl-read buffers

The memset() got moved out of the check for _IOC_NONE, so passing a
made-up command number with a size but no direction would allow clearing
data on user-provided pointers.

Move video_get_user() back into the _IOC_NONE check where it belongs.

Reported-by: syzbot+54fd8cca4b7226c94b8e@syzkaller.appspotmail.com
Fixes: 6c625c01c7a6 ("media: v4l2-core: split out data copy from video_usercopy")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

drivers/media/v4l2-core/v4l2-ioctl.c

@@ -3205,11 +3205,11 @@ video_usercopy(struct file *file, unsigned int orig_cmd, unsigned long arg,
 			parg = mbuf;
 		}
 
-	}
-
-	err = video_get_user((void __user *)arg, parg, orig_cmd, &always_copy);
+		err = video_get_user((void __user *)arg, parg, orig_cmd,
+				     &always_copy);
 		if (err)
 			goto out;
+	}
 
 	err = check_array_args(cmd, parg, &array_size, &user_ptr, &kernel_ptr);
 	if (err < 0)