OK, I found out the culprit.  It's the race of dirty update callback and the
dirty clip update.  The schedule_work() in drm_fb_helper_dirty() must be inside
the spinlock.  Otherwise the concurrent calls may conflict, one clears the clip
while the another is called after that with the cleared clip area.

I'll post the patch soon later.