From: Dave Kleikamp <shaggy@austin.ibm.com>

I was looking through the radix tree code and came across what I think
is a bug in radix_tree_delete.

	for (idx = 0; idx < RADIX_TREE_TAG_LONGS; idx++) {
		if (pathp[0].node->tags[tag][idx]) {
			tags[tag] = 1;
			nr_cleared_tags--;
			break;
		}
	}

The above loop should only be executed if tags[tag] is zero.  Otherwise,
when walking up the tree, we can decrement nr_cleared_tags twice or more
for the same value of tag, thus potentially exiting the outer loop too
early.

Ensure that nr_cleared_tags is only decremented once for each tag.

Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/lib/radix-tree.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff -puN lib/radix-tree.c~radix_tree_delete-fix lib/radix-tree.c
--- 25/lib/radix-tree.c~radix_tree_delete-fix	2004-11-10 22:36:19.268336368 -0800
+++ 25-akpm/lib/radix-tree.c	2004-11-10 22:36:19.273335608 -0800
@@ -701,8 +701,10 @@ void *radix_tree_delete(struct radix_tre
 		for (tag = 0; tag < RADIX_TREE_TAGS; tag++) {
 			int idx;
 
-			if (!tags[tag])
-				tag_clear(pathp[0].node, tag, pathp[0].offset);
+			if (tags[tag])
+				continue;
+
+			tag_clear(pathp[0].node, tag, pathp[0].offset);
 
 			for (idx = 0; idx < RADIX_TREE_TAG_LONGS; idx++) {
 				if (pathp[0].node->tags[tag][idx]) {
_