From: john.l.byrne@hp.com

In do_fork(), if an error occurs after the mm_struct for the child has been
allocated, it is never freed.  The exit_mm() meant to free it increments
the mm_count and this count is never decremented.  (For a running process
that is exitting, schedule() takes care this; however, the child process
being cleaned up is not running.) In the CLONE_VM case, the parent's
mm_struct will get an extra mm_count and so it will never be freed.

This patch should fix both the CLONE_VM and the not CLONE_VM case; the test
of p->active_mm prevents a panic in the case that a kernel-thread is being
cloned.


---

 25-akpm/kernel/fork.c |    2 ++
 1 files changed, 2 insertions(+)

diff -puN kernel/fork.c~do_fork-error-path-memory-leak kernel/fork.c
--- 25/kernel/fork.c~do_fork-error-path-memory-leak	2004-04-09 21:05:02.785608032 -0700
+++ 25-akpm/kernel/fork.c	2004-04-09 21:05:02.789607424 -0700
@@ -1086,6 +1086,8 @@ bad_fork_cleanup_namespace:
 	exit_namespace(p);
 bad_fork_cleanup_mm:
 	exit_mm(p);
+	if (p->active_mm)
+		mmdrop(p->active_mm);
 bad_fork_cleanup_signal:
 	exit_signal(p);
 bad_fork_cleanup_sighand:

_