CVE-2025-40356 in Linux
Summary
by MITRE • 12/16/2025
In the Linux kernel, the following vulnerability has been resolved:
spi: rockchip-sfc: Fix DMA-API usage
Use DMA-API dma_map_single() call for getting the DMA address of the transfer buffer instead of hacking with virt_to_phys().
This fixes the following DMA-API debug warning: ------------[ cut here ]------------
DMA-API: rockchip-sfc fe300000.spi: device driver tries to sync DMA memory it has not allocated [device address=0x000000000cf70000] [size=288 bytes]
WARNING: kernel/dma/debug.c:1106 at check_sync+0x1d8/0x690, CPU#2: systemd-udevd/151 Modules linked in: ... Hardware name: Hardkernel ODROID-M1 (DT) pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : check_sync+0x1d8/0x690 lr : check_sync+0x1d8/0x690 .. Call trace: check_sync+0x1d8/0x690 (P) debug_dma_sync_single_for_cpu+0x84/0x8c __dma_sync_single_for_cpu+0x88/0x234 rockchip_sfc_exec_mem_op+0x4a0/0x798 [spi_rockchip_sfc]
spi_mem_exec_op+0x408/0x498 spi_nor_read_data+0x170/0x184 spi_nor_read_sfdp+0x74/0xe4 spi_nor_parse_sfdp+0x120/0x11f0 spi_nor_sfdp_init_params_deprecated+0x3c/0x8c spi_nor_scan+0x690/0xf88 spi_nor_probe+0xe4/0x304 spi_mem_probe+0x6c/0xa8 spi_probe+0x94/0xd4 really_probe+0xbc/0x298 ...
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability CVE-2025-40356 addresses a critical issue within the Linux kernel's SPI subsystem, specifically affecting the rockchip-sfc driver used in certain embedded systems. This flaw stems from improper usage of the DMA-API, which is fundamental to ensuring safe and efficient memory transfers between hardware devices and system memory. The root cause lies in the driver's reliance on virt_to_phys() for obtaining DMA addresses rather than employing the proper DMA-API functions, creating a mismatch between device expectations and actual memory management practices.
The technical flaw manifests through a DMA-API debug warning that indicates a device driver attempting to synchronize DMA memory it has not allocated, specifically referencing a device address at 0x000000000cf70000 with a size of 288 bytes. This warning originates from kernel/dma/debug.c at the check_sync function, where the system detects an invalid synchronization attempt. The call trace shows the error propagating through several kernel functions including debug_dma_sync_single_for_cpu, __dma_sync_single_for_cpu, and ultimately reaching rockchip_sfc_exec_mem_op within the spi_rockchip_sfc module. This improper memory management approach violates fundamental DMA-API principles and creates potential for data corruption or system instability.
The operational impact of this vulnerability extends beyond simple warning messages, as it represents a breakdown in the kernel's memory management subsystem that could lead to system crashes or data integrity issues during SPI operations. The affected hardware platform, specifically the Hardkernel ODROID-M1, relies on this driver for SPI flash memory operations, which are critical for system boot processes, firmware updates, and configuration data access. When the DMA-API is misused, it can cause synchronization failures between CPU and device memory, potentially leading to memory corruption or complete system hangs during critical operations such as reading SFDP (Serial Flash Discoverable Parameters) data from SPI NOR flash devices.
This vulnerability aligns with CWE-665 improper initialization and CWE-122 improper memory management practices, both of which are categorized under the broader domain of memory safety issues in kernel space. The ATT&CK framework would classify this under T1547.001 for kernel modules and T1059.008 for system commands, as the improper DMA handling could potentially enable privilege escalation or system compromise if exploited. The fix implemented in this CVE resolution addresses the core issue by replacing the incorrect virt_to_phys() approach with the proper DMA-API dma_map_single() call, ensuring that the driver properly allocates and manages DMA memory through the kernel's established interfaces. This change brings the driver into compliance with the Linux kernel's DMA-API requirements and eliminates the debug warnings while maintaining proper memory synchronization between CPU and device memory.