I don't know if this is a bug, or if there are somehow two completely different versions of the ST M25P40 SPI chip.
I just tried to burn such a chip with flashrom, but it wouldn't detect it at all, so I checked the datasheet for it, and it turned out that the probe was completely different from what one would think, reading flashrom's source.
It seems that the M25P40 doesn't use the RDID command to send its ID, but rather a "RES" (Read Electronic Signature) command instead, which returns just one byte. I added support for it, and then it worked perfectly for me.
I'm attaching my patch to fix the problem. I would imagine that the other M25Pxx chips would be affected by the same problem, but since I can neither verify nor test what IDs they would have, they are excluded from my patch.
Fredrik Tolf