ANDROID: mm: always destroy mmu_notifier percpu_rwsem asynchronously

Currently mmu_notifier percpu_rwsem is destroyed asynchronously when
__mmdrop() is called in the atomic context. The below calltrace indicates
that __mmdrop() can be called from the CPU hotplug path which already
takes CPU hotplug lock (write side) and we try to take it again (read side)
from percpu_rwsem destruction. This results in lock recursion and the CPU
hotplug operation stuck forever.

-001|context_switch(inline)
-001|__schedule()
-002|__preempt_count_sub(inline)
-002|schedule()
-003|_raw_spin_unlock_irq(inline)
-003|spin_unlock_irq(inline)
-003|percpu_rwsem_wait()
-004|__preempt_count_add(inline)
-004|__percpu_down_read()
-005|percpu_down_read(inline)
-005|cpus_read_lock() // trying to get cpu_hotplug_lock again
-006|rcu_barrier()
-007|rcu_sync_dtor()
-008|mmu_notifier_subscriptions_destroy(inline)
-008|__mmdrop()
-009|mmdrop(inline)
-009|finish_cpu()
-010|cpuhp_invoke_callback()
-011|cpuhp_invoke_callback_range(inline)
-011|cpuhp_down_callbacks()
-012|_cpu_down() // acquired cpu_hotplug_lock (write lock)

Bug: 240377090
Fixes: 1ae855f191 ("FROMLIST: mm: add mmu_notifier_lock")
Change-Id: Idb3ad668b04127c5d930aade103f53eb5ec527c0
Signed-off-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>

include/linux/mmu_notifier.h

@@ -532,12 +532,7 @@ static inline void mmu_notifier_subscriptions_destroy(struct mm_struct *mm)
 		__mmu_notifier_subscriptions_destroy(mm);
 
 #ifdef CONFIG_SPECULATIVE_PAGE_FAULT
-	if (!in_atomic()) {
-		percpu_free_rwsem(mm->mmu_notifier_lock);
-		kfree(mm->mmu_notifier_lock);
-	} else {
-		percpu_rwsem_async_destroy(mm->mmu_notifier_lock);
-	}
+	percpu_rwsem_async_destroy(mm->mmu_notifier_lock);
 #endif
 }