u-boot: v2026.04: btrfs zstd: reject short decode

Per CodeRabbit review on PR #9675:
  zstd_decompress_dctx() returns a size_t — the actual number of
  bytes written, not just an error indicator. The previous code
  unconditionally returned dlen even if ret < dlen, leaving the
  tail of dbuf as uninitialised garbage.

In practice this path is unreachable for well-formed BTRFS extents:
after our fix out_len = max(dlen, fcs), and on success zstd produces
exactly fcs bytes, so ret == fcs >= dlen. But the defensive check
is trivial and guards against:
  - a frame header with a falsified content-size that still passes
    the integrity check;
  - truncated/corrupted frames that zstd does not always flag as an
    error.

Apply the same fix to the duplicate patch under board_helios64/.

This issue was not flagged in PR #9651 (v2026.01) — different
review pass surfaced different findings.

Author: iav

patch/u-boot/v2026.04/board_helios64/general-fix-btrfs-zstd-decompression.patch

@@ -103,7 +103,7 @@ diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
 +	ret = zstd_decompress_dctx(ctx, out_buf, out_len, cbuf, clen);
 +	free(workspace);
 +
-+	if (zstd_is_error(ret)) {
++	if (zstd_is_error(ret) || ret < dlen) {
 +		free(tmp);
 +		return -1;
 +	}

patch/u-boot/v2026.04/general-fix-btrfs-zstd-decompression.patch

@@ -103,7 +103,7 @@ diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
 +	ret = zstd_decompress_dctx(ctx, out_buf, out_len, cbuf, clen);
 +	free(workspace);
 +
-+	if (zstd_is_error(ret)) {
++	if (zstd_is_error(ret) || ret < dlen) {
 +		free(tmp);
 +		return -1;
 +	}