x86 shadow: Insufficient TLB flushing when using PCID

ISSUE DESCRIPTION

Use of Process Context Identifiers (PCID) was introduced into Xen in order to improve performance after XSA-254 (and in particular its Meltdown sub-issue). This enablement implied changes to the TLB flushing logic. One aspect which was overlooked is the safety of switching between shadow pagetables, which previously relied on the unconditional flushing of a write to CR3.
With PCID enabled, a switch of shadow pagetable for a 64bit PV guest fails to invalidate the linear mappings of the previous shadow pagetable. As a result, subsequent accesses to the shadow pagetables may be deemed to be safe by the shadow logic (based on the old shadow pagetable) but fault when made in practice.

IMPACT

Malicious 64bit PV guests may be able to cause a host crash (Denial of Service).
Additionally, vulnerable configurations are unstable even in the absence of an attack.

VULNERABLE SYSTEMS

Only x86 systems are vulnerable. ARM systems are not vulnerable.
Only systems running 64-bit x86 PV guests are vulnerable. Systems running only x86 HVM or PVH or 32bit PV guests are not vulnerable.
Only systems with at least one PCID-enabled PV guest are vulnerable.
Systems where PCID or INVPCID are unavailable or entirely disabled are not vulnerable.
Note that PCID is enabled by default for both 64-bit dom0 and 64-bit domU when hardware supports it. PCID acceleration has been backported to the following versions: - Xen 4.11.x, - Xen 4.10.2 and onwards, - Xen 4.9.3 and onwards, - Xen 4.8.4 and onwards, - Xen 4.7.6.