This is the problem I have solved (incorrect segments), but it also
shows a nasty bug in SCSI.

If scsi_init_io() fails there, it calls scsi_end_request() which ends
the entire request. That calls __scsi_release_command() which clears
SCpnt->request (its now gone), but you then proceed to
scsi_mlqueue_insert() which ends up doing blk_insert_request() on
SCpnt->request. Boom.

Problem is there are two possible reason to return failure from init_io.
So we need to do the requeue inside init_io.

[patch fixed to work with request prep function]