Index: sys_generic.c
===================================================================
RCS file: /cvs/src/sys/kern/sys_generic.c,v
retrieving revision 1.92
diff -u -p -r1.92 sys_generic.c
--- sys_generic.c	13 Jul 2014 15:48:41 -0000	1.92
+++ sys_generic.c	9 Oct 2014 00:18:15 -0000
@@ -941,11 +941,15 @@ doppoll(struct proc *p, struct pollfd *f
 	if (nfds > min((int)p->p_rlimit[RLIMIT_NOFILE].rlim_cur, maxfiles))
 		return (EINVAL);
 
-	sz = sizeof(struct pollfd) * nfds;
-
 	/* optimize for the default case, of a small nfds value */
-	if (sz > sizeof(pfds))
-		pl = malloc(sz, M_TEMP, M_WAITOK);
+	if (nfds > nitems(pfds)) {
+		pl = mallocarray(nfds, sizeof(*pl), M_TEMP,
+		    M_WAITOK | M_CANFAIL);
+		if (pl == NULL)
+			return (EOVERFLOW);
+	}
+
+	sz = nfds * sizeof(*pl);
 
 	if ((error = copyin(fds, pl, sz)) != 0)
 		goto bad;
@@ -1009,7 +1013,7 @@ done:
 	}
 bad:
 	if (pl != pfds)
-		free(pl, M_TEMP, 0);
+		free(pl, M_TEMP, sz);
 	return (error);
 }