In the Linux kernel’s vmw_gb_surface_define_ioctl() function, in ‘drivers/gpu/drm/vmwgfx/vmwgfx_surface.c’ file, a ‘req->mip_levels’ is a user-controlled value which is later used as a loop count limit. This allows local unprivileged user to cause a denial of service by a kernel lockup via a crafted ioctl call for a ‘/dev/dri/renderD*’ device.