[PATCH] radix_tree_delete() fix

I was looking through the radix tree code and came across what I think
is a bug in radix_tree_delete.

	for (idx = 0; idx < RADIX_TREE_TAG_LONGS; idx++) {
		if (pathp[0].node->tags[tag][idx]) {
			tags[tag] = 1;
			nr_cleared_tags--;
			break;
		}
	}

The above loop should only be executed if tags[tag] is zero.  Otherwise,
when walking up the tree, we can decrement nr_cleared_tags twice or more
for the same value of tag, thus potentially exiting the outer loop too
early.

Ensure that nr_cleared_tags is only decremented once for each tag.
Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

lib/radix-tree.c

@@ -701,8 +701,10 @@ void *radix_tree_delete(struct radix_tree_root *root, unsigned long index)
 		for (tag = 0; tag < RADIX_TREE_TAGS; tag++) {
 			int idx;
 
-			if (!tags[tag])
-				tag_clear(pathp[0].node, tag, pathp[0].offset);
+			if (tags[tag])
+				continue;
+
+			tag_clear(pathp[0].node, tag, pathp[0].offset);
 
 			for (idx = 0; idx < RADIX_TREE_TAG_LONGS; idx++) {
 				if (pathp[0].node->tags[tag][idx]) {