nullfs mounting a unionfs mount point lists the underlying [duplicate] entries for each union layer.

Bug exists in [at least] 12.3-RELEASE and 13.0-RELEASE  (amd64).

#### Example Setup
mkdir /broken
mkdir /broken/layer1
mkdir /broken/layer2
mkdir /broken/layer3
mkdir /broken/union-mnt
mkdir /broken/null-of-union-mnt

mkdir /broken/layer1/a
mkdir /broken/layer1/b
mkdir /broken/layer1/c
mkdir /broken/layer1/d
mkdir /broken/layer1/e

# Could be any mount type (e.g. NFS, cd9660, etc)
mount_nullfs /broken/layer1 /broken/union-mnt

# Add second layer
mount_unionfs /broken/layer2 /broken/union-mnt

# Trigger shadow directory creations (on layer 2)
ls /broken/union-mnt/a

# Add third layer
mount_unionfs /broken/layer3 /broken/union-mnt

# Trigger shadow directory creations (on layer 3)
ls /broken/union-mnt/a

# null mount the union somewhere
mount_nullfs /broken/union-mnt /broken/null-of-union-mnt


#### union looks as expected (unified)
ls /broken/union-mnt
a       b       c       d       e


#### nullfs of union shows duplicates
ls /broken/null-of-union-mnt
a       a       a       b       c       d       e


#### Trigger more shadow copies and list again
ls /broken/union-mnt/c
ls /broken/null-of-union-mnt
a       a       a       b       c       c       c       d       e


#### Teardown
umount /broken/null-of-union-mnt
umount /broken/union-mnt
umount /broken/union-mnt
umount /broken/union-mnt

rmdir /broken/null-of-union-mnt
rmdir /broken/union-mnt

rmdir /broken/layer1/[a-z]
rmdir /broken/layer1

rmdir /broken/layer2/[a-z]
rmdir /broken/layer2

rmdir /broken/layer3/[a-z]
rmdir /broken/layer3

rmdir /broken

######

These duplicates also show up in a jail using a nullfs mount (of a unionfs). Unless otherwise verified, it should be assumed such a jail might have direct access to the underlying unionfs layers.