media: v4l2-core: only zero-out ioctl-read buffers

The memset() got moved out of the check for _IOC_NONE, so passing a
made-up command number with a size but no direction would allow clearing
data on user-provided pointers.

Move video_get_user() back into the _IOC_NONE check where it belongs.

Reported-by:  <syzbot+54fd8cca4b7226c94b8e@syzkaller.appspotmail.com>
Fixes: 6c625c01c7a6 ("media: v4l2-core: split out data copy from video_usercopy")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>