audit: convert audit event class lookup to lockless

When system call auditing is enabled, every audited call
does a lookup in the evclass hash table. This table
appears to be insert only (eg, nothing can be removed)
and protecting it with an rwlock is overkill. Using
an rwlock causes just the atomic operations to maintain
uncontended rwlock state to be responsible for measurable
overhead on high core count servers making lots of system calls.

Given that the evclass hash table can never have items removed,
only added, using a mutex to serialize additions and converting
to ck_list allows sufficient protection for lockless lookups.

In a contrived example of 64 cores, all reading 1 byte from their
own file, this change increases performance from 5M reads/sec
to 70M reads/sec on an AMD 7502P.

Reviewed by: markj, mjg, glebius (privately)
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D53176