Hm, after more careful review, I take back my comment about the scheme being fragile. (I mean, it's still fragile, but not AS fragile as I thought. I don't see a way for it to fail under normal circumstances.) However one very simple explanation is that a call command is making it onto the userspace-supplied pushbuf. Let's make sure that this is not the case -- Get valgrind-mmt going (http://nouveau.freedesktop.org/wiki/Valgrind-mmt/), and run X inside of mmt, and run x11perf until it dies, e.g. valgrind --tool=mmt --mmt-trace-file=/dev/dri/card0 --mmt-trace-nouveau-ioctls xinit x11perf -putimage500 -- :1 >& xorg-mmt.log or something along those lines. (And you can run it in a separate X server so you don't have to kill your "real" session.)