BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x417/0x7f0 [amdgpu]

Running the DRM code merged for 5.15-rc1 (locally merged on top of 5.14), KFENCE caught a use-after-free while running dEQP tests with radeonsi:

[30394.242105] ==================================================================
[30394.242117] BUG: KFENCE: use-after-free read in amdgpu_bo_move+0x417/0x7f0 [amdgpu]
[30394.242117]
[30394.242356] Use-after-free read at 0x000000002265b0f8 (in kfence-#74):
[30394.242361]  amdgpu_bo_move+0x417/0x7f0 [amdgpu]
[30394.242552]  ttm_bo_handle_move_mem+0x8d/0x180 [ttm]
[30394.242561]  ttm_bo_validate+0xfb/0x180 [ttm]
[30394.242569]  amdgpu_bo_fault_reserve_notify+0xbb/0x160 [amdgpu]
[30394.242771]  amdgpu_gem_fault+0x7b/0x100 [amdgpu]
[30394.242974]  __do_fault+0x36/0xd0
[30394.242980]  __handle_mm_fault+0xe5a/0x15f0
[30394.242983]  handle_mm_fault+0x135/0x3e0
[30394.242986]  do_user_addr_fault+0x1d1/0x6a0
[30394.242991]  exc_page_fault+0x79/0x290
[30394.242996]  asm_exc_page_fault+0x1e/0x30
[30394.243000]
[30394.243002] kfence-#74 [0x000000002bc07551-0x00000000d8876109, size=216, cache=kmalloc-256] allocated by task 1444865:
[30394.243010]  amdgpu_vram_mgr_new+0xde/0x380 [amdgpu]
[30394.243195]  ttm_bo_mem_space+0x8f/0x2b0 [ttm]
[30394.243202]  ttm_bo_validate+0xca/0x180 [ttm]
[30394.243209]  ttm_bo_init_reserved+0x213/0x2b0 [ttm]
[30394.243216]  amdgpu_bo_create+0x189/0x5b0 [amdgpu]
[30394.243403]  amdgpu_bo_create_user+0x34/0x60 [amdgpu]
[30394.243584]  amdgpu_gem_create_ioctl+0x120/0x330 [amdgpu]
[30394.243771]  drm_ioctl_kernel+0xad/0x100 [drm]
[30394.243806]  drm_ioctl+0x220/0x3c0 [drm]
[30394.243837]  amdgpu_drm_ioctl+0x49/0x80 [amdgpu]
[30394.244017]  __x64_sys_ioctl+0x83/0xb0
[30394.244022]  do_syscall_64+0x5c/0x80
[30394.244028]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[30394.244032]
[30394.244032] freed by task 1444865:
[30394.244037]  ttm_resource_free+0x31/0x40 [ttm]
[30394.244045]  ttm_bo_release+0x28b/0x540 [ttm]
[30394.244052]  ttm_bo_move_accel_cleanup+0x1b0/0x3b0 [ttm]
[30394.244059]  amdgpu_bo_move+0x183/0x7f0 [amdgpu]
[30394.244242]  ttm_bo_handle_move_mem+0x8d/0x180 [ttm]
[30394.244249]  ttm_bo_validate+0xfb/0x180 [ttm]
[30394.244256]  amdgpu_bo_fault_reserve_notify+0xbb/0x160 [amdgpu]
[30394.244437]  amdgpu_gem_fault+0x7b/0x100 [amdgpu]
[30394.244620]  __do_fault+0x36/0xd0
[30394.244625]  __handle_mm_fault+0xe5a/0x15f0
[30394.244628]  handle_mm_fault+0x135/0x3e0
[30394.244631]  do_user_addr_fault+0x1d1/0x6a0
[30394.244636]  exc_page_fault+0x79/0x290
[30394.244640]  asm_exc_page_fault+0x1e/0x30

/cc @ckoenig