media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags

[Hans Verkuil <hverkuil-cisco@xxxxxxxxx>]

From: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>

commit 599f6899051cb70c4e0aa9fd591b9ee220cb6f14 upstream.

The cec_msg_set_reply_to() helper function never zeroed the
struct cec_msg flags field, this can cause unexpected behavior
if flags was uninitialized to begin with.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xxxxxxxxx>
Fixes: 0dbacebede1e ("[media] cec: move the CEC framework out of staging and to media")
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 include/uapi/linux/cec.h |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/include/uapi/linux/cec.h
+++ b/include/uapi/linux/cec.h
@@ -132,6 +132,8 @@ static inline void cec_msg_init(struct c
  * Set the msg destination to the orig initiator and the msg initiator to the
  * orig destination. Note that msg and orig may be the same pointer, in which
  * case the change is done in place.
+ *
+ * It also zeroes the reply, timeout and flags fields.
  */
 static inline void cec_msg_set_reply_to(struct cec_msg *msg,
 					struct cec_msg *orig)
@@ -139,7 +141,9 @@ static inline void cec_msg_set_reply_to(
 	/* The destination becomes the initiator and vice versa */
 	msg->msg[0] = (cec_msg_destination(orig) << 4) |
 		      cec_msg_initiator(orig);
-	msg->reply = msg->timeout = 0;
+	msg->reply = 0;
+	msg->timeout = 0;
+	msg->flags = 0;
 }
 
 /**


Patches currently in stable-queue which might be from hverkuil-cisco@xxxxxxxxx are

queue-6.10/media-uapi-linux-cec.h-cec_msg_set_reply_to-zero-flags.patch
queue-6.10/media-ov5675-fix-power-on-off-delay-timings.patch
queue-6.10/media-videobuf2-drop-minimum-allocation-requirement-of-2-buffers.patch
queue-6.10/media-qcom-camss-fix-ordering-of-pm_runtime_enable.patch
queue-6.10/media-qcom-camss-remove-use_count-guard-in-stop_streaming.patch
queue-6.10/media-venus-fix-use-after-free-bug-in-venus_remove-due-to-race-condition.patch
queue-6.10/media-i2c-ar0521-use-cansleep-version-of-gpiod_set_value.patch
queue-6.10/media-imx335-fix-reset-gpio-handling.patch