CVE-2025-40356
Description
In the Linux kernel, the following vulnerability has been resolved:
spi: rockchip-sfc: Fix DMA-API usage
Use DMA-API dma_map_single() call for getting the DMA address of the transfer buffer instead of hacking with virt_to_phys().
This fixes the following DMA-API debug warning: ------------[ cut here ]------------ DMA-API: rockchip-sfc fe300000.spi: device driver tries to sync DMA memory it has not allocated [device address=0x000000000cf70000] [size=288 bytes] WARNING: kernel/dma/debug.c:1106 at check_sync+0x1d8/0x690, CPU#2: systemd-udevd/151 Modules linked in: ... Hardware name: Hardkernel ODROID-M1 (DT) pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : check_sync+0x1d8/0x690 lr : check_sync+0x1d8/0x690 .. Call trace: check_sync+0x1d8/0x690 (P) debug_dma_sync_single_for_cpu+0x84/0x8c __dma_sync_single_for_cpu+0x88/0x234 rockchip_sfc_exec_mem_op+0x4a0/0x798 [spi_rockchip_sfc] spi_mem_exec_op+0x408/0x498 spi_nor_read_data+0x170/0x184 spi_nor_read_sfdp+0x74/0xe4 spi_nor_parse_sfdp+0x120/0x11f0 spi_nor_sfdp_init_params_deprecated+0x3c/0x8c spi_nor_scan+0x690/0xf88 spi_nor_probe+0xe4/0x304 spi_mem_probe+0x6c/0xa8 spi_probe+0x94/0xd4 really_probe+0xbc/0x298 ...
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A DMA-API violation in the Rockchip SFC SPI driver (virt_to_phys() instead of dma_map_single()) causes a kernel warning, potentially leading to memory corruption or stability issues.
Root
Cause
The Rockchip SFC (SPI Flash Controller) driver in the Linux kernel used virt_to_phys() to derive a DMA address from a transfer buffer, instead of the correct DMA-API function dma_map_single() [1]. This violates the DMA API contract because dma_map_single() ensures proper cache coherency and returns a valid DMA bus address. The warning is triggered when the driver later attempts to sync the DMA memory via dma_sync_single_for_cpu(), which detects that it was not properly mapped [1].
Attack
Vector & Exploitation
No special privileges are required to trigger the bug; it occurs during normal SPI NOR flash operations, such as reading the SFDP (Serial Flash Parameter Table (SFDP) during device initialization [1]. The call trace shows spi_nor_read_sfdp → spi_nor_parse_sfdp as the path to the warning. An attacker with physical access or the ability to influence SPI transactions (e.g., via malicious flash content) could potentially induce the warning behavior, but the primary risk is system instability rather than direct exploitation.
Impact
The immediate symptom is a kernel WARNING splat (not a crash) that floods the kernel log [1]. Under certain memory configurations, this could lead to cache inconsistencies or memory corruption, as the DMA-API debug check reveals an invalid sync operation. The issue does not directly enable code execution, but it degrades system reliability and could be used in conjunction with other vulnerabilities.
Mitigation
A fix was merged into the Linux kernel stable tree, replacing the virt_to_phys() hack with a proper dma_map_single()/dma_unmap_single() pair [1]. Users should update to a kernel version containing commit 22810d4cb0a8. No workaround is available; the patch must be applied.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
222810d4cb0e8ee795e82e101Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.