bluetooth disconnection corrupts memory and causes kernel panic

This bug is present on kernels v3.8-rc1 and beyond and was exposed by commit ecbbfd44.
To reproduce:

1) Pair a bluetooth device that is capable of being easily powered down (a phone for example)
2) Configure /etc/bluetooth/rfcomm.conf to connect to device. For example:
rfcomm0 {
        bind no;
        device XX:XX:XX:XX:XX:XX;
        channel XX;
        comment "phone";
}
3) Type 'rfcomm connect 0'.
4) On the device power down the bluetooth component or power down the device.
5) Eventually the machine will crash, I've found that exec'ing another program will cause the crash easily.

ProblemType: KernelCrash
DistroRelease: Ubuntu 13.10
Package: linux-image-3.9.0-4-generic
ProcVersionSignature: Ubuntu 3.9.0-4.9-generic 3.9.4
Uname: Linux 3.9.0-4-generic x86_64
ApportVersion: 2.10.2-0ubuntu1
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: ubuntu 1537 F.... pulseaudio
Date: Tue Jun 11 12:22:26 2013
HibernationDevice: RESUME=UUID=8c8e9f7c-b216-4ead-a5da-8e267ab136ac
InstallationDate: Installed on 2013-06-05 (5 days ago)
InstallationMedia: Ubuntu 13.10 "Saucy Salamander" - Alpha amd64 (20130605)
MachineType: LENOVO 42872WU
MarkForUpload: True
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.9.0-4-generic root=UUID=94d4ed1f-8182-4805-8d5b-6944f6f1c428 ro crashkernel=384M-2G:64M,2G-:128M debug ignore_loglevel
PulseList:
 Error: command ['pacmd', 'list'] failed with exit code 1: Home directory not accessible: Permission denied
 No PulseAudio daemon running, or not running as session daemon.
RelatedPackageVersions:
 linux-restricted-modules-3.9.0-4-generic N/A
 linux-backports-modules-3.9.0-4-generic N/A
 linux-firmware 1.109
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 11/01/2011
dmi.bios.vendor: LENOVO
dmi.bios.version: 8DET55WW (1.25 )
dmi.board.asset.tag: Not Available
dmi.board.name: 42872WU
dmi.board.vendor: LENOVO
dmi.board.version: Not Available
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Not Available
dmi.modalias: dmi:bvnLENOVO:bvr8DET55WW(1.25):bd11/01/2011:svnLENOVO:pn42872WU:pvrThinkPadX220:rvnLENOVO:rn42872WU:rvrNotAvailable:cvnLENOVO:ct10:cvrNotAvailable:
dmi.product.name: 42872WU
dmi.product.version: ThinkPad X220
dmi.sys.vendor: LENOVO

--

The actual crash:
[ 507.050158] Bluetooth: TIOCGSERIAL is not supported
[ 513.902765] ------------[ cut here ]------------
[ 513.902781] WARNING: at /build/buildd/linux-3.9.0/kernel/workqueue.c:602 get_work_pool+0x81/0x90()
[ 513.902784] Hardware name: 42872WU
[ 513.902786] Modules linked in: intel_powerclamp coretemp kvm_intel kvm parport_pc(F) crc32_pclmul(F) ghash_clmulni_intel(F) ppdev(F) rfcomm aesni_intel(F) aes_x86_64(F) bnep xts(F) lrw(F) gf128mul(F) ablk_helper(F) cryptd(F) joydev(F) arc4(F) uvcvideo iwldvm snd_hda_codec_hdmi snd_hda_codec_conexant videobuf2_vmalloc videobuf2_memops videobuf2_core mac80211 snd_hda_intel thinkpad_acpi videodev snd_hda_codec nvram(F) snd_hwdep(F) snd_pcm(F) iwlwifi snd_page_alloc(F) snd_seq_midi(F) snd_seq_midi_event(F) snd_rawmidi(F) snd_seq(F) snd_seq_device(F) btusb snd_timer(F) psmouse(F) snd(F) bluetooth mei cfg80211 serio_raw(F) soundcore(F) microcode(F) tpm_tis lpc_ich mac_hid lp(F) parport(F) i915 i2c_algo_bit drm_kms_helper e1000e(F) ptp(F) pps_core(F) drm sdhci_pci sdhci ahci(F) libahci(F) wmi video(F)
[ 513.902871] Pid: 863, comm: modem-manager Tainted: GF 3.9.0-4-generic #9-Ubuntu
[ 513.902873] Call Trace:
[ 513.902883] [<ffffffff810584c0>] warn_slowpath_common+0x70/0xa0
[ 513.902889] [<ffffffff810585aa>] warn_slowpath_null+0x1a/0x20
[ 513.902894] [<ffffffff810750f1>] get_work_pool+0x81/0x90
[ 513.902900] [<ffffffff810780c4>] flush_work+0x24/0x160
[ 513.902909] [<ffffffffa051330e>] ? rfcomm_dev_destruct+0x7e/0xb0 [rfcomm]
[ 513.902916] [<ffffffff8117d0ed>] ? kfree+0xfd/0x130
[ 513.902922] [<ffffffff81078274>] __cancel_work_timer+0x74/0xb0
[ 513.902928] [<ffffffff810782c0>] cancel_work_sync+0x10/0x20
[ 513.902935] [<ffffffff814196bd>] tty_ldisc_halt+0x1d/0x30
[ 513.902940] [<ffffffff8141a437>] tty_ldisc_release+0x17/0x90
[ 513.902946] [<ffffffff814131ed>] tty_release+0x46d/0x5c0
[ 513.902953] [<ffffffff81195da1>] __fput+0xe1/0x230
[ 513.902958] [<ffffffff81195fbe>] ____fput+0xe/0x10
[ 513.902964] [<ffffffff810799d7>] task_work_run+0xa7/0xe0
[ 513.902970] [<ffffffff81013d09>] do_notify_resume+0x69/0xa0
[ 513.902977] [<ffffffff816db7da>] int_signal+0x12/0x17
[ 513.902980] ---[ end trace df6aa8116aaf35db ]---
[ 536.981969] BUG: unable to handle kernel paging request at 000000fffffffe00
[ 536.982013] IP: [<ffffffff8117f83b>] __kmalloc_node_track_caller+0xdb/0x1d0
[ 536.982050] PGD 0
[ 536.982061] Oops: 0000 [#1] SMP
[ 536.982079] Modules linked in: intel_powerclamp coretemp kvm_intel kvm parport_pc(F) crc32_pclmul(F) ghash_clmulni_intel(F) ppdev(F) rfcomm aesni_intel(F) aes_x86_64(F) bnep xts(F) lrw(F) gf128mul(F) ablk_helper(F) cryptd(F) joydev(F) arc4(F) uvcvideo iwldvm snd_hda_codec_hdmi snd_hda_codec_conexant videobuf2_vmalloc videobuf2_memops videobuf2_core mac80211 snd_hda_intel thinkpad_acpi videodev snd_hda_codec nvram(F) snd_hwdep(F) snd_pcm(F) iwlwifi snd_page_alloc(F) snd_seq_midi(F) snd_seq_midi_event(F) snd_rawmidi(F) snd_seq(F) snd_seq_device(F) btusb snd_timer(F) psmouse(F) snd(F) bluetooth mei cfg80211 serio_raw(F) soundcore(F) microcode(F) tpm_tis lpc_ich mac_hid lp(F) parport(F) i915 i2c_algo_bit drm_kms_helper e1000e(F) ptp(F) pps_core(F) drm sdhci_pci sdhci ahci(F) libahci(F) wmi video(F)
[ 536.982464] CPU 3
[ 536.982476] Pid: 1586, comm: dbus-daemon Tainted: GF W 3.9.0-4-generic #9-Ubuntu LENOVO 42872WU/42872WU
[ 536.982522] RIP: 0010:[<ffffffff8117f83b>] [<ffffffff8117f83b>] __kmalloc_node_track_caller+0xdb/0x1d0
[ 536.982567] RSP: 0018:ffff8801167099d0 EFLAGS: 00010246
[ 536.982591] RAX: 0000000000000000 RBX: ffff8800d3ce3c00 RCX: 000000000000c011
[ 536.982623] RDX: 000000000000c010 RSI: 0000000000000000 RDI: 0000000000017080
[ 536.982657] RBP: ffff880116709a10 R08: ffff88011e2d7080 R09: ffff880119802a00
[ 536.982688] R10: ffff880119810400 R11: 0000000000000246 R12: 00000000000106d0
[ 536.982719] R13: 000000fffffffe00 R14: 0000000000000200 R15: 00000000ffffffff
[ 536.982751] FS: 00007fab0e008800(0000) GS:ffff88011e2c0000(0000) knlGS:0000000000000000
[ 536.982787] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 536.982812] CR2: 000000fffffffe00 CR3: 0000000116606000 CR4: 00000000000407e0
[ 536.982844] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 536.982875] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 536.982907] Process dbus-daemon (pid: 1586, threadinfo ffff880116708000, task ffff880113de45f0)
[ 536.982945] Stack:
[ 536.982954] 0000000000000001 ffff880119802a00 ffffffff815be9ae ffff8800d3ce3c00
[ 536.982991] ffff880116709a6f 00000000000004d0 0000000000000200 00000000ffffffff
[ 536.983026] ffff880116709a50 ffffffff815be741 ffffffff815be97e ffff8800d3ce3c00
[ 536.983062] Call Trace:
[ 536.983078] [<ffffffff815be9ae>] ? __alloc_skb+0x7e/0x2b0
[ 536.983105] [<ffffffff815be741>] __kmalloc_reserve.isra.26+0x31/0x90
[ 536.983135] [<ffffffff815be97e>] ? __alloc_skb+0x4e/0x2b0
[ 536.983162] [<ffffffff815be9ae>] __alloc_skb+0x7e/0x2b0
[ 536.983188] [<ffffffff815b9f56>] sock_alloc_send_pskb+0x1c6/0x340
[ 536.983218] [<ffffffff815bf38c>] ? consume_skb+0x2c/0x80
[ 536.983244] [<ffffffff816d2c2e>] ? _raw_spin_lock+0xe/0x20
[ 536.983270] [<ffffffff815ba0e5>] sock_alloc_send_skb+0x15/0x20
[ 536.983300] [<ffffffff8165f349>] unix_stream_sendmsg+0x269/0x460
[ 536.983328] [<ffffffff815b511a>] sock_sendmsg+0xaa/0xe0
[ 536.983353] [<ffffffff815b5259>] ? sock_recvmsg+0xb9/0xf0
[ 536.983380] [<ffffffff81098429>] ? load_balance+0x109/0x7e0
[ 536.983408] [<ffffffff815c2c06>] ? verify_iovec+0x56/0xd0
[ 536.983434] [<ffffffff815b58de>] __sys_sendmsg+0x39e/0x3b0
[ 536.983461] [<ffffffff811da07b>] ? ep_send_events_proc+0x15b/0x1a0
[ 536.983492] [<ffffffff81043bd9>] ? default_spin_lock_flags+0x9/0x10
[ 536.983522] [<ffffffff811da85d>] ? ep_scan_ready_list.isra.6+0x1ad/0x1b0
[ 536.983554] [<ffffffff811da991>] ? ep_poll+0x111/0x340
[ 536.983578] [<ffffffff815b7802>] sys_sendmsg+0x42/0x80
[ 536.984924] [<ffffffff816db51d>] system_call_fastpath+0x1a/0x1f
[ 536.986258] Code: 49 63 41 18 66 66 66 66 90 4c 89 e8 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 1f 44 00 00 49 63 41 20 48 8d 4a 01 49 8b 39 <49> 8b 5c 05 00 4c 89 e8 65 48 0f c7 0f 0f 94 c0 84 c0 0f 84 65
[ 536.989223] RIP [<ffffffff8117f83b>] __kmalloc_node_track_caller+0xdb/0x1d0
[ 536.990667] RSP <ffff8801167099d0>
[ 536.992062] CR2: 000000fffffffe00