kernel NULL pointer dereference in iwlmvm when debugfs=off

When booting 5.13.0-30-generic, dmesg shows:

ieee80211 phy0: Selected rate control algorithm 'iwl-mvm-rs'
BUG: kernel NULL pointer dereference, address: 0000000000000017
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 1 PID: 921 Comm: modprobe Tainted: P U O 5.13.0-30-generic #33~20.04.1-Ubuntu
Hardware name: System76 Lemur/Lemur, BIOS 1.05.25RSA2-1 04/17/2018
RIP: 0010:iwl_mvm_dbgfs_register+0x660/0x6d0 [iwlmvm]
Code: 29 c1 be 80 01 00 00 48 c7 c7 35 f8 29 c1 e8 27 b9 20 cd 48 8b 83 60 18 00 00 48 c7 c2 39 f8 29 c1 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 18 e8 f7 07 36 cd 48 8b 43 28 48 8d 55 8c 48 c7 c7 44 f8
RSP: 0018:ffff9e37c072bb08 EFLAGS: 00010206
RAX: ffffffffffffffff RBX: ffff8b3fcb5e1f48 RCX: ffff8b3fcb5e1f48
RDX: ffffffffc129f839 RSI: 0000000000000064 RDI: ffff9e37c072bb0c
RBP: ffff9e37c072bb80 R08: ffffffff8f26c920 R09: ffffffffc1298ae0
R10: 0000000000000100 R11: 0000000000000021 R12: 0000000000000000
R13: 0000000fffffffe0 R14: ffff8b3fcb5e1f48 R15: ffff8b3fcb5e1f40
FS: 00007f9084e19540(0000) GS:ffff8b470ec80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000017 CR3: 00000001048c8006 CR4: 00000000003706e0
Call Trace:
 <TASK>
 ? iwl_mvm_mac_setup_register+0x95e/0xb90 [iwlmvm]
 ? iwl_mvm_stop_device+0x65/0x80 [iwlmvm]
 iwl_op_mode_mvm_start+0x96f/0xa40 [iwlmvm]
 _iwl_op_mode_start.isra.0+0x47/0x80 [iwlwifi]
 iwl_opmode_register+0x73/0xe0 [iwlwifi]
 ? 0xffffffffc0a0c000
 iwl_mvm_init+0x3a/0x1000 [iwlmvm]
 ? 0xffffffffc0a0c000
 do_one_initcall+0x48/0x1d0
 ? __cond_resched+0x19/0x30
 ? kmem_cache_alloc_trace+0x37c/0x440
 do_init_module+0x62/0x260
 load_module+0x125d/0x1440
 __do_sys_finit_module+0xc2/0x120
 ? __do_sys_finit_module+0xc2/0x120
 __x64_sys_finit_module+0x1a/0x20
 do_syscall_64+0x61/0xb0
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f9084f5e89d
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffcb48505e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000055aa54753d20 RCX: 00007f9084f5e89d
RDX: 0000000000000000 RSI: 000055aa52f0d358 RDI: 0000000000000002
RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 000055aa52f0d358
R13: 0000000000000000 R14: 000055aa54753e50 R15: 000055aa54753d20
 </TASK>
Modules linked in: snd_soc_acpi snd_soc_core snd_compress ac97_bus snd_pcm_dmaengine snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi zfs(PO+) snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi zunicode(PO) snd_seq_midi_event zzstd(O) snd_rawmidi zlua(O) intel_rapl_m>
 usbhid hid_generic hid i915 i2c_algo_bit drm_kms_helper aesni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops crypto_simd cec cryptd rc_core drm nvme psmouse nvme_core xhci_pci xhci_pci_renesas wmi video mac_hid
CR2: 0000000000000017
---[ end trace cae0adb6dc5e38f3 ]---
iwlwifi 0000:02:00.0 wlp2s0: renamed from wlan0
RIP: 0010:iwl_mvm_dbgfs_register+0x660/0x6d0 [iwlmvm]
Code: 29 c1 be 80 01 00 00 48 c7 c7 35 f8 29 c1 e8 27 b9 20 cd 48 8b 83 60 18 00 00 48 c7 c2 39 f8 29 c1 be 64 00 00 00 48 8d 7d 8c <48> 8b 48 18 e8 f7 07 36 cd 48 8b 43 28 48 8d 55 8c 48 c7 c7 44 f8
RSP: 0018:ffff9e37c072bb08 EFLAGS: 00010206
RAX: ffffffffffffffff RBX: ffff8b3fcb5e1f48 RCX: ffff8b3fcb5e1f48
RDX: ffffffffc129f839 RSI: 0000000000000064 RDI: ffff9e37c072bb0c
RBP: ffff9e37c072bb80 R08: ffffffff8f26c920 R09: ffffffffc1298ae0
R10: 0000000000000100 R11: 0000000000000021 R12: 0000000000000000
R13: 0000000fffffffe0 R14: ffff8b3fcb5e1f48 R15: ffff8b3fcb5e1f40
FS: 00007f9084e19540(0000) GS:ffff8b470ec80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000017 CR3: 00000001048c8006 CR4: 00000000003706e0

When booting 5.11.0-38-generic:

ieee80211 phy0: Selected rate control algorithm 'iwl-mvm-rs'
thermal thermal_zone3: failed to read out thermal zone (-61)
BUG: kernel NULL pointer dereference, address: 0000000000000017
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 1 PID: 912 Comm: modprobe Tainted: P O 5.11.0-38-generic #42~20.04.1-Ubuntu
Hardware name: System76 Lemur/Lemur, BIOS 1.05.25RSA2-1 04/17/2018
RIP: 0010:iwl_mvm_dbgfs_register+0x5db/0x660 [iwlmvm]
Code: 48 c7 c7 a8 bb 00 c1 e8 83 15 89 cc 48 89 d9 4c 89 e2 be 80 01 00 00 49 c7 c0 00 51 00 c1 48 c7 c7 b0 bb 00 c1 e8 15 0c 89 cc <49> 8b 4c 24 18 48 c7 c2 b4 bb 00 c1 be 64 00 00 00 48 8d 7d 84 e8
RSP: 0018:ffffa59c40607af0 EFLAGS: 00010206
RAX: ffffffffffffffff RBX: ffff8ebbc8f91f28 RCX: ffff8ebbc8f91f28
RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffffffffc100bbb0
RBP: ffffa59c40607b70 R08: ffffffff8e46b100 R09: ffffffffc1005100
R10: 0000000000000100 R11: 0000000000000013 R12: ffffffffffffffff
R13: 0000000fffffffe0 R14: ffff8ebbc8f91f28 R15: ffff8ebbc8f91f20
FS: 00007f6eb9e21540(0000) GS:ffff8ec30ec80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000017 CR3: 000000010aba2002 CR4: 00000000003706e0
Call Trace:
 ? thermal_zone_device_set_mode+0x8c/0xb0
 ? thermal_zone_device_enable+0x13/0x20
 ? iwl_mvm_thermal_initialize+0x1ca/0x390 [iwlmvm]
 iwl_op_mode_mvm_start+0x762/0xa10 [iwlmvm]
 _iwl_op_mode_start.isra.0+0x47/0x80 [iwlwifi]
 iwl_opmode_register+0x73/0xe0 [iwlwifi]
 ? 0xffffffffc0aa3000
 iwl_mvm_init+0x3a/0x1000 [iwlmvm]
 ? 0xffffffffc0aa3000
 do_one_initcall+0x48/0x1d0
 ? _cond_resched+0x19/0x30
 ? kmem_cache_alloc_trace+0x37a/0x430
 ? do_init_module+0x28/0x250
 do_init_module+0x62/0x250
 load_module+0x11aa/0x1370
 ? security_kernel_post_read_file+0x5c/0x70
 ? security_kernel_post_read_file+0x5c/0x70
 __do_sys_finit_module+0xc2/0x120
 ? __do_sys_finit_module+0xc2/0x120
 __x64_sys_finit_module+0x1a/0x20
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f6eb9f6689d
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d c3 f5 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffdbd12deb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 0000555dbd8f8a40 RCX: 00007f6eb9f6689d
RDX: 0000000000000000 RSI: 0000555dbcc58358 RDI: 0000000000000002
RBP: 0000000000040000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000555dbcc58358
R13: 0000000000000000 R14: 0000555dbd8f8b70 R15: 0000555dbd8f8a40
Modules linked in: snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_soc_skl snd_soc_hdac_hda snd_hda_ext_core snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_acpi_intel_match snd_soc_acpi snd_hda_intel snd_intel_dspcfg soundwire_intel soundwire_generi>
 intel_pch_thermal libahci intel_xhci_usb_role_switch acpi_pad sch_fq_codel nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 msr ip_tables x_tables autofs4 btrfs blake2b_generic libcrc32c xor raid6_pq dm_crypt hid_generic usbhid hid i915 aesni_intel i2c_algo_bit drm_kms_helper psm>
CR2: 0000000000000017
---[ end trace b471419e1ba88be0 ]---
iwlwifi 0000:02:00.0 wlp2s0: renamed from wlan0
RIP: 0010:iwl_mvm_dbgfs_register+0x5db/0x660 [iwlmvm]
Code: 48 c7 c7 a8 bb 00 c1 e8 83 15 89 cc 48 89 d9 4c 89 e2 be 80 01 00 00 49 c7 c0 00 51 00 c1 48 c7 c7 b0 bb 00 c1 e8 15 0c 89 cc <49> 8b 4c 24 18 48 c7 c2 b4 bb 00 c1 be 64 00 00 00 48 8d 7d 84 e8
RSP: 0018:ffffa59c40607af0 EFLAGS: 00010206
RAX: ffffffffffffffff RBX: ffff8ebbc8f91f28 RCX: ffff8ebbc8f91f28
RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffffffffc100bbb0
RBP: ffffa59c40607b70 R08: ffffffff8e46b100 R09: ffffffffc1005100
R10: 0000000000000100 R11: 0000000000000013 R12: ffffffffffffffff
R13: 0000000fffffffe0 R14: ffff8ebbc8f91f28 R15: ffff8ebbc8f91f20
FS: 00007f6eb9e21540(0000) GS:ffff8ec30ec80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000017 CR3: 000000010aba2002 CR4: 00000000003706e0
ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.

FYI, debugfs is disabled by booting with debugfs=off in /proc/cmdline.

Additional information:

$ lsb_release -rd
Description: Ubuntu 20.04.3 LTS
Release: 20.04

$ apt-cache policy linux-modules-5.13.0-30-generic
linux-modules-5.13.0-30-generic:
  Installed: 5.13.0-30.33~20.04.1
  Candidate: 5.13.0-30.33~20.04.1
  Version table:
 *** 5.13.0-30.33~20.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status

$ apt-cache policy linux-image-5.11.0-38-generic
linux-image-5.11.0-38-generic:
  Installed: 5.11.0-38.42~20.04.1
  Candidate: 5.11.0-38.42~20.04.1
  Version table:
 *** 5.11.0-38.42~20.04.1 500
        500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: linux-modules-5.11.0-38-generic 5.11.0-38.42~20.04.1
ProcVersionSignature: Ubuntu 5.11.0-38.42~20.04.1-generic 5.11.22
Uname: Linux 5.11.0-38-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu27.21
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Tue Oct 26 10:04:44 2021
InstallationDate: Installed on 2021-05-31 (147 days ago)
InstallationMedia: Ubuntu 20.04.2 LTS "Focal Fossa" - Release amd64 (20210527)
SourcePackage: linux-hwe-5.11
UpgradeStatus: No upgrade log present (probably fresh install)