Fix ZFS panic on space map corruption

Add defensive validation to prevent kernel panics when corrupted space map
data is encountered during pool import. Instead of panicking, the system
now logs corruption and continues in read-only mode.

Changes:
- space_map.c: Add bounds checking in space_map_load_callback to skip
  zero-sized and out-of-bounds entries
- range_tree.c: Add defensive check in zfs_range_tree_remove_impl to detect
  corrupted segment bounds and recover gracefully

Author: tidjean

module/zfs/range_tree.c

@@ -503,6 +503,18 @@ zfs_range_tree_remove_impl(zfs_range_tree_t *rt, uint64_t start, uint64_t size,
 	rstart = zfs_rs_get_start(rs, rt);
 	rend = zfs_rs_get_end(rs, rt);
 
+	/*
+	 * Defensive check: if we detect corrupted bounds, log the issue
+	 * and try to recover rather than panicking
+	 */
+	if (rstart > start) {
+		zfs_panic_recover("zfs: rt=%s: segment bounds invalid - "
+		    "existing start (%llx) > requested start (%llx), "
+		    "this may indicate corrupted space map data",
+		    ZFS_RT_NAME(rt), (longlong_t)rstart, (longlong_t)start);
+		return;
+	}
+
 	/*
 	 * Range trees with gap support must only remove complete segments
 	 * from the tree. This allows us to maintain accurate fill accounting

module/zfs/space_map.c

@@ -402,6 +402,21 @@ static int
 space_map_load_callback(space_map_entry_t *sme, void *arg)
 {
 	space_map_load_arg_t *smla = arg;
+	
+	/* Validate space map entry bounds */
+	if (sme->sme_run == 0) {
+		return (0);
+	}
+	
+	if (sme->sme_offset + sme->sme_run > smla->smla_sm->sm_size) {
+		zfs_panic_recover("Skipping out-of-bounds space map entry "
+		    "(offset=%llu, size=%llu, sm_size=%llu)",
+		    (unsigned long long)sme->sme_offset,
+		    (unsigned long long)sme->sme_run,
+		    (unsigned long long)smla->smla_sm->sm_size);
+		return (0);
+	}
+	
 	if (sme->sme_type == smla->smla_type) {
 		VERIFY3U(zfs_range_tree_space(smla->smla_rt) + sme->sme_run, <=,
 		    smla->smla_sm->sm_size);