From 83a277830f1402cf7e145c3234c3607649eda94b Mon Sep 17 00:00:00 2001
From: John Baldwin <jhb@FreeBSD.org>
Date: Fri, 25 Sep 2020 21:19:56 +0000
Subject: [PATCH] Revert most of r360179.

I had failed to notice that sgsendccb() was using cam_periph_mapmem()
and thus was not passing down user pointers directly to drivers.  In
practice this broke requests submitted from userland.

PR:		249395
Reported by:	Trenton Schulz <trueos@norwegianrockcat.com>
Reviewed by:	scottl
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D26550
---
 sys/cam/scsi/scsi_sg.c | 25 +------------------------
 1 file changed, 1 insertion(+), 24 deletions(-)

diff --git a/sys/cam/scsi/scsi_sg.c b/sys/cam/scsi/scsi_sg.c
index 7a28ccf732af..81b964a6828e 100644
--- a/sys/cam/scsi/scsi_sg.c
+++ b/sys/cam/scsi/scsi_sg.c
@@ -507,7 +507,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 	struct cam_periph *periph;
 	struct sg_softc *softc;
 	struct sg_io_hdr *req;
-	void *data_ptr;
 	int dir, error;
 
 	periph = (struct cam_periph *)dev->si_drv1;
@@ -552,20 +551,12 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 			break;
 		}
 
-		if (req->dxfer_len > MAXPHYS) {
-			error = EINVAL;
-			break;
-		}
-
-		data_ptr = malloc(req->dxfer_len, M_DEVBUF, M_WAITOK);
-
 		ccb = cam_periph_getccb(periph, CAM_PRIORITY_NORMAL);
 		csio = &ccb->csio;
 
 		error = copyin(req->cmdp, &csio->cdb_io.cdb_bytes,
 		    req->cmd_len);
 		if (error) {
-			free(data_ptr, M_DEVBUF);
 			xpt_release_ccb(ccb);
 			break;
 		}
@@ -586,21 +577,12 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 			break;
 		}
 
-		if (dir == CAM_DIR_IN || dir == CAM_DIR_BOTH) {
-			error = copyin(req->dxferp, data_ptr, req->dxfer_len);
-			if (error) {
-				free(data_ptr, M_DEVBUF);
-				xpt_release_ccb(ccb);
-				break;
-			}
-		}
-
 		cam_fill_csio(csio,
 			      /*retries*/1,
 			      /*cbfcnp*/NULL,
 			      dir|CAM_DEV_QFRZDIS,
 			      MSG_SIMPLE_Q_TAG,
-			      data_ptr,
+			      req->dxferp,
 			      req->dxfer_len,
 			      req->mx_sb_len,
 			      req->cmd_len,
@@ -610,7 +592,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 		if (error) {
 			req->host_status = DID_ERROR;
 			req->driver_status = DRIVER_INVALID;
-			free(data_ptr, M_DEVBUF);
 			xpt_release_ccb(ccb);
 			break;
 		}
@@ -629,10 +610,6 @@ sgioctl(struct cdev *dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 					req->sb_len_wr);
 		}
 
-		if ((dir == CAM_DIR_OUT || dir == CAM_DIR_BOTH) && error == 0)
-			error = copyout(data_ptr, req->dxferp, req->dxfer_len);
-
-		free(data_ptr, M_DEVBUF);
 		xpt_release_ccb(ccb);
 		break;