CVE-2024-35841

In the Linux kernel, the following vulnerability has been resolved: net:
tls, fix WARNIING in __sk_msg_free A splice with MSG_SPLICE_PAGES will
cause tls code to use the tls_sw_sendmsg_splice path in the TLS sendmsg
code to move the user provided pages from the msg into the msg_pl. This
will loop over the msg until msg_pl is full, checked by
sk_msg_full(msg_pl). The user can also set the MORE flag to hint stack to
delay sending until receiving more pages and ideally a full buffer. If the
user adds more pages to the msg than can fit in the msg_pl scatterlist
(MAX_MSG_FRAGS) we should ignore the MORE flag and send the buffer anyways.
What actually happens though is we abort the msg to msg_pl scatterlist
setup and then because we forget to set ‘full record’ indicating we can no
longer consume data without a send we fallthrough to the ‘continue’ path
which will check if msg_data_left(msg) has more bytes to send and then
attempts to fit them in the already full msg_pl. Then next iteration of
sender doing send will encounter a full msg_pl and throw the warning in the
syzbot report. To fix simply check if we have a full_record in splice code
path and if not send the msg regardless of MORE flag.