K 10
svn:author
V 5
markj
K 8
svn:date
V 27
2016-02-12T20:43:53.182098Z
K 7
svn:log
V 447
Clear the cookie pointer on error in tmpfs_readdir().

It is otherwise left dangling, and callers that request cookies always free
the cookie buffer, even when VOP_READDIR(9) returns an error. This results
in a double free if tmpfs_readdir() returns an error to the NFS server or
the Linux getdents(2) emulation code.

Reported by:	pho
MFC after:	1 week
Security:	double free of malloc(9)-backed memory
Sponsored by:	EMC / Isilon Storage Division

END