Changing process address space without holding AddressCreationLock

I have trunk (59074) running with newcc and I hit the following assertion:

(E:\drivers\REACTOS\drivers\network\ndisuio\main.c:101) NDISUIO: Loaded
(E:\drivers\REACTOS\ntoskrnl\mm\ARM3\sysldr.c:174) Loading: \SystemRoot\system32\drivers\afd.sys at F9DAF000 with 20 pages
(E:\drivers\REACTOS\ntoskrnl\io\iomgr\file.c:438) Using IopParseDevice() hack. Requested invalid attributes: 1
(E:\drivers\REACTOS\drivers\bus\acpi\main.c:276) Fixed power button reported to power manager
(E:\drivers\REACTOS\drivers\bus\acpi\main.c:281) Fixed sleep button reported to power manager
(E:\drivers\REACTOS\ntoskrnl\po\events.c:267) Device capabilities: 0x3 ( POWER SLEEP )
(E:\drivers\REACTOS\ntoskrnl\mm\ARM3\mminit.c:1173) Loader pages freed: d6
(E:\drivers\REACTOS\ntoskrnl\ex\init.c:1959) Free non-cache pages: ee4d
WARNING: RtlCreateTagHeap at E:\drivers\REACTOS\lib\rtl\heap.c:3875 is UNIMPLEMENTED!
(E:\drivers\REACTOS\base\system\smss\sminit.c:2250) SMSS: !!! MiniNT Boot !!!
(E:\drivers\REACTOS\lib\rtl\heap.c:2202) HEAP: Trying to free an invalid address 0046006C!
Assertion '((EPROCESS *)(((ULONG_PTR)AddressSpace) - (ULONG_PTR)(&(((EPROCESS *)0)>Vm))))>AddressCreationLock.Owner == _KeGetCurrentThread()' failed at E:\drivers\REACTOS\ntoskrnl\mm\marea.c line 810
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPoint:
8050c512 cc int 3

kd> kb
ChildEBP RetAddr Args to Child
f9da9a34 8050b3b6 f9da9aa0 804c07dc 805bb3c0 nt!DbgBreakPoint
f9da9a3c 804c07dc 805bb3c0 805bb394 0000032a nt!RtlAssert+0x46 [e:\drivers\reactos\lib\rtl\assert.c @ 119]
f9da9aa0 80409b96 805fd568 b0821e80 804090c0 nt!MmFreeMemoryArea+0x2c [e:\drivers\reactos\ntoskrnl\mm\marea.c @ 810]
f9da9acc 80409c10 805fd568 80d80000 80600b80 nt!MmUnmapViewOfCacheSegment+0xe6 [e:\drivers\reactos\ntoskrnl\cache\section\data.c @ 823]
f9da9ae4 80406dfd 80d80000 00000000 00000000 nt!MmUnmapCacheViewInSystemSpace+0x30 [e:\drivers\reactos\ntoskrnl\cache\section\data.c @ 916]
f9da9b1c 804052fc 00000006 00000001 00000001 nt!CcpDereferenceCache+0x1ed [e:\drivers\reactos\ntoskrnl\cache\pinsup.c @ 260]
f9da9b48 fa0fafbe b0822108 b0822280 00000000 nt!CcUninitializeCacheMap+0x1ac [e:\drivers\reactos\ntoskrnl\cache\fssup.c @ 326]
f9da9b68 fa0fad85 b0927ea0 00000012 f9da9b90 fastfat!VfatCleanupFile+0x1ce [e:\drivers\reactos\drivers\filesystems\fastfat\cleanup.c @ 91]
f9da9b78 fa107efc b0927ea0 00000001 00000012 fastfat!VfatCleanup+0x75 [e:\drivers\reactos\drivers\filesystems\fastfat\cleanup.c @ 126]
f9da9b90 fa107b62 b0927ea0 00000001 00000001 fastfat!VfatDispatchRequest+0x15c [e:\drivers\reactos\drivers\filesystems\fastfat\misc.c @ 127]
f9da9bac 80469739 b085e018 b084c610 b08c0bf8 fastfat!VfatBuildRequest+0xc2 [e:\drivers\reactos\drivers\filesystems\fastfat\misc.c @ 162]
f9da9bd0 8046085d 80047b01 00000000 f9da9be0 nt!IofCallDriver+0xa9 [e:\drivers\reactos\ntoskrnl\io\iomgr\irp.c @ 1205]
f9da9c00 804d0184 b0839560 b0822108 001f01ff nt!IopCloseFile+0x1bd [e:\drivers\reactos\ntoskrnl\io\iomgr\file.c @ 1516]
f9da9c50 804d0396 b0822108 b0839560 001f01ff nt!ObpDecrementHandleCount+0x274 [e:\drivers\reactos\ntoskrnl\ob\obhandle.c @ 624]
f9da9c7c 804d13b0 e1076758 e10790d8 0000006c nt!ObpCloseHandleTableEntry+0x1a6 [e:\drivers\reactos\ntoskrnl\ob\obhandle.c @ 752]
f9da9ce8 804cdf65 0000006c 00000001 f9da9d0c nt!ObpCloseHandle+0x190 [e:\drivers\reactos\ntoskrnl\ob\obhandle.c @ 1749]
f9da9cf8 804ff259 0000006c 00000005 00000004 nt!NtClose+0x15 [e:\drivers\reactos\ntoskrnl\ob\obhandle.c @ 3220]
f9da9d0c 804ff203 804cdf50 00daf4c8 00000004 nt!KiSystemCallTrampoline+0x19 [e:\drivers\reactos\ntoskrnl\include\internal\i386\ke.h @ 684]
f9da9d44 804fec5d f9da9d64 00daf4c8 00daf4c8 nt!KiSystemCall+0x213 [e:\drivers\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1619]
f9da9d5c 80403d08 00daf4d4 77f2c16e badb0d00 nt!KiFastCallEntryHandler+0x6d [e:\drivers\reactos\ntoskrnl\ke\i386\traphdlr.c @ 1665]
f9da9d5c 77f2c16e 00daf4d4 77f2c16e badb0d00 nt!KiFastCallEntry+0x71