The q_pgs pointer was assigned to point at the trailing memory
allocated past the struct. Convert it to a proper C99 flexible
array member and use struct_size() for the allocation.

Assisted-by: Claude:Opus-4.7
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
 drivers/scsi/lpfc/lpfc_sli.c  | 3 +--
 drivers/scsi/lpfc/lpfc_sli4.h | 3 ++-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index d38fb374b379..0e56e7034566 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -15875,7 +15875,7 @@ lpfc_sli4_queue_alloc(struct lpfc_hba *phba, uint32_t page_size,
 	if (pgcnt > phba->sli4_hba.pc_sli4_params.wqpcnt)
 		pgcnt = phba->sli4_hba.pc_sli4_params.wqpcnt;
 
-	queue = kzalloc_node(sizeof(*queue) + (sizeof(void *) * pgcnt),
+	queue = kzalloc_node(struct_size(queue, q_pgs, pgcnt),
 			     GFP_KERNEL, cpu_to_node(cpu));
 	if (!queue)
 		return NULL;
@@ -15892,7 +15892,6 @@ lpfc_sli4_queue_alloc(struct lpfc_hba *phba, uint32_t page_size,
 	 * resources, the free routine needs to know what was allocated.
 	 */
 	queue->page_count = pgcnt;
-	queue->q_pgs = (void **)&queue[1];
 	queue->entry_cnt_per_pg = hw_page_size / entry_size;
 	queue->entry_size = entry_size;
 	queue->entry_count = entry_count;
diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h
index 2744786d9c94..e2b95fb50d55 100644
--- a/drivers/scsi/lpfc/lpfc_sli4.h
+++ b/drivers/scsi/lpfc/lpfc_sli4.h
@@ -280,9 +280,10 @@ struct lpfc_queue {
 	uint64_t isr_timestamp;
 	struct lpfc_queue *assoc_qp;
 	struct list_head _poll_list;
-	void **q_pgs;	/* array to index entries per page */
 
 	enum lpfc_poll_mode poll_mode;
+
+	void *q_pgs[];	/* array to index entries per page */
 };
 
 struct lpfc_sli4_link {
-- 
2.54.0