Fix null dereference in spa_vdev_remove_cancel_sync()

We don't really need to access space map to know where the metaslab
ends, while msp->ms_sm might be NULL.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Rob Norris <robn@despairlabs.com>
Reviewed by: Igor Kozhukhov <ikozhukhov@gmail.com>
Signed-off-by:	Alexander Motin <mav@FreeBSD.org>
Sponsored by:	iXsystems, Inc.
Fixes #17164
Fixes #17359
Closes #17361
(cherry picked from commit 5c30b24)

Author: amotin

module/zfs/vdev_removal.c

@@ -1931,10 +1931,9 @@ spa_vdev_remove_cancel_sync(void *arg, dmu_tx_t *tx)
 		 * because we have not allocated mappings for it yet.
 		 */
 		uint64_t syncd = vdev_indirect_mapping_max_offset(vim);
-		uint64_t sm_end = msp->ms_sm->sm_start +
-		    msp->ms_sm->sm_size;
-		if (sm_end > syncd)
-			zfs_range_tree_clear(segs, syncd, sm_end - syncd);
+		uint64_t ms_end = msp->ms_start + msp->ms_size;
+		if (ms_end > syncd)
+			zfs_range_tree_clear(segs, syncd, ms_end - syncd);
 
 		zfs_range_tree_vacate(segs, free_mapped_segment_cb, vd);
 	}