Comment 18 for bug 1515791

I have the same issue, that can be easily hotfixed by editing apparmor's rules or by disabling it, anyway when the machine tries to access the USB device a kernel null ptr deference occurs.

My setup is a vanilla Ubuntu 16.04.1 LTS with libvirt and a virtual print server (Ubuntu 16.04.1 LTS too) I'm tring to pass an USB multifunction printer (a Samsung SCX B/W laser printer).

I added to /etc/apparmor.d/abstractions/libvirt-qemu:

  /run/udev/data/** r,
  /dev/bus/usb/*/[0-9]* rw,

When the machine starts I get a kernel OOP:

[79766.096875] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79766.524927] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79767.252785] usb 1-6: reset high-speed USB device number 4 using ehci-pci
[79768.478231] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
[79768.478253] IP: [<ffffffff81610c96>] usb_find_alt_setting+0x6/0xb0
[79768.478266] PGD 0
[79768.478272] Oops: 0000 [#1] SMP
[79768.478280] Modules linked in: vhost_net vhost macvtap macvlan xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables snd_hda_codec_hdmi gpio_ich ppdev snd_hda_codec_realtek snd_hda_codec_generic bridge stp llc snd_hda_intel snd_hda_codec coretemp serio_raw snd_hda_core snd_hwdep snd_pcm usblp snd_timer lpc_ich input_leds snd shpchp soundcore i7core_edac winbond_cir edac_core i5500_temp rc_core 8250_fintek parport_pc mac_hid parport kvm_intel kvm irqbypass ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs drbg
[79768.478471] ansi_cprng xts gf128mul algif_skcipher af_alg dm_crypt raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 multipath linear raid0 pata_acpi hid_generic usbhid hid raid10 pata_marvell uas usb_storage nouveau mxm_wmi wmi video i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect firewire_ohci sysimgblt psmouse fb_sys_fops e1000e firewire_core mvsas ahci ptp drm crc_itu_t libahci libsas pps_core scsi_transport_sas fjes
[79768.478599] CPU: 2 PID: 23232 Comm: qemu-system-x86 Tainted: G I 4.4.0-53-generic #74-Ubuntu
[79768.478610] Hardware name: /DX58SO, BIOS SOX5810J.86A.2127.2008.0914.1638 09/14/2008
[79768.478620] task: ffff88041b314b00 ti: ffff880004634000 task.ti: ffff880004634000
[79768.478629] RIP: 0010:[<ffffffff81610c96>] [<ffffffff81610c96>] usb_find_alt_setting+0x6/0xb0
[79768.478641] RSP: 0018:ffff880004637d18 EFLAGS: 00010202
[79768.478648] RAX: 0000000000000020 RBX: 00000000000000a1 RCX: 0000000000000100
[79768.478657] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
[79768.478665] RBP: ffff880004637d60 R08: 0000000000000006 R09: ffff88041ec03e00
[79768.478673] R10: ffff88041ce0d800 R11: ffff880416c98000 R12: 0000000000000100
[79768.478682] R13: ffff8800359b00c0 R14: 0000000000000000 R15: ffff880004637e20
[79768.478691] FS: 00007f0b8b799700(0000) GS:ffff88041f280000(0000) knlGS:0000000000000000
[79768.478700] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[79768.478707] CR2: 0000000000000004 CR3: 00000001bb759000 CR4: 00000000000026e0
[79768.478715] Stack:
[79768.478719] ffff880004637d60 ffffffff8162846c 0000000000000000 0000000000000008
[79768.478733] ffff8800359b00c0 00000000ffffffff 00000000ffffffea ffff8800cf2081c8
[79768.478751] ffff880004637e20 ffff880004637de8 ffffffff81629912 ffff880004637da8
[79768.478765] Call Trace:
[79768.478774] [<ffffffff8162846c>] ? check_ctrlrecip+0x6c/0x140
[79768.478783] [<ffffffff81629912>] proc_do_submiturb+0x252/0xbc0
[79768.478793] [<ffffffff81090eb6>] ? __set_current_blocked+0x36/0x60
[79768.478807] [<ffffffffc069bc78>] ? __vmx_load_host_state.part.49+0x128/0x170 [kvm_intel]
[79768.478818] [<ffffffff8162ad43>] usbdev_do_ioctl+0xac3/0xfa0
[79768.478826] [<ffffffff810efb66>] ? hrtimer_start_range_ns+0x1d6/0x3e0
[79768.478836] [<ffffffff8162b24e>] usbdev_ioctl+0xe/0x20
[79768.478844] [<ffffffff8122166f>] do_vfs_ioctl+0x29f/0x490
[79768.478853] [<ffffffff8125a327>] ? SyS_timerfd_settime+0x57/0xb0
[79768.478862] [<ffffffff812218d9>] SyS_ioctl+0x79/0x90
[79768.478871] [<ffffffff81836072>] entry_SYSCALL_64_fastpath+0x16/0x71
[79768.478879] Code: ee 81 74 03 31 c0 c3 55 48 89 f0 48 81 ef 98 00 00 00 48 8b 36 48 89 e5 ff 50 08 5d c3 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 <0f> b6 4f 04 48 89 e5 84 c9 74 39 4c 8b 87 98 01 00 00 41 0f b6
[79768.479000] RIP [<ffffffff81610c96>] usb_find_alt_setting+0x6/0xb0
[79768.479011] RSP <ffff880004637d18>
[79768.479016] CR2: 0000000000000004
[79768.482181] ---[ end trace 380ee93b0d773fef ]---
[79805.073971] virbr1: port 2(vnet0) entered disabled state
[79805.077114] device vnet0 left promiscuous mode
[79805.077551] virbr1: port 2(vnet0) entered disabled state
[79805.487960] audit: type=1400 audit(1481069496.146:225): apparmor="STATUS" operation="profile_remove" profile="unconfined" name="libvirt-f4b18403-c2c6-7502-f299-ad4f7ffce117" pid=23295 comm="apparmor_parser"

Now the USB controller on the host system is unusable, a simple lsusb will stuck, the VM is stuck, libvirt-bin service has to be restarted to connect again, shutdown all the other VMs and reboot the system.

Also with the new USB3.0 controller (model='nec-xhci'). Same story :\