From: <john.l.byrne@hp.com>

In do_fork(), if an error occurs after the mm_struct for the child has been
allocated, it is never freed.  The exit_mm() meant to free it increments
the mm_count and this count is never decremented.  (For a running process
that is exitting, schedule() takes care this; however, the child process
being cleaned up is not running.) In the CLONE_VM case, the parent's
mm_struct will get an extra mm_count and so it will never be freed.

This patch should fix both the CLONE_VM and the not CLONE_VM case; the test
of p->active_mm prevents a panic in the case that a kernel-thread is being
cloned.