Index: fuse_ipc.h
===================================================================
--- fuse_ipc.h	(revisione 238487)
+++ fuse_ipc.h	(copia locale)
@@ -320,6 +320,7 @@ fuse_aw_remove(struct fuse_ticket *ftick)
 {
     DEBUGX(FUSE_DEBUG_IPC, "ftick=%p refcount=%d\n",
         ftick, ftick->tk_refcount);
+    mtx_assert(&data->aw_mtx, MA_OWNED);
     TAILQ_REMOVE(&ftick->tk_data->aw_head, ftick, tk_aw_link);
 #ifdef INVARIANTS
     ftick->tk_aw_link.tqe_next = NULL;
Index: fuse_device.c
===================================================================
--- fuse_device.c	(revisione 238487)
+++ fuse_device.c	(copia locale)
@@ -428,7 +428,12 @@ fuse_device_write(struct cdev *dev, struct uio *ui
 			/* pretender doesn't wanna do anything with answer */
 			DEBUG("stuff devalidated, so we drop it\n");
 		}
-		FUSE_ASSERT_AW_DONE(tick);
+
+		/*
+		 * As aw_mtx was not held during the callback execution the
+		 * ticket may have been inserted again.  However, this is safe
+		 * because fuse_ticket_drop() will deal with refcount anyway.
+		 */
 		fuse_ticket_drop(tick);
 	} else {
 		/* no callback at all! */