CVE-2024-35841

In the Linux kernel, the following vulnerability has been resolved:

net: tls, fix WARNIING in _skmsg_free

A splice with MSGSPLICEPAGES will cause tls code to use the tlsswsendmsgsplice path in the TLS sendmsg code to move the user provided pages from the msg into the msgpl. This will loop over the msg until msgpl is full, checked by skmsgfull(msgpl). The user can also set the MORE flag to hint stack to delay sending until receiving more pages and ideally a full buffer.

If the user adds more pages to the msg than can fit in the msgpl scatterlist (MAXMSG_FRAGS) we should ignore the MORE flag and send the buffer anyways.

What actually happens though is we abort the msg to msgpl scatterlist setup and then because we forget to set 'full record' indicating we can no longer consume data without a send we fallthrough to the 'continue' path which will check if msgdataleft(msg) has more bytes to send and then attempts to fit them in the already full msgpl. Then next iteration of sender doing send will encounter a full msg_pl and throw the warning in the syzbot report.

To fix simply check if we have a full_record in splice code path and if not send the msg regardless of MORE flag.