A flaw was found in xen. The INVPCID instruction raises #GP[0] if an attempt is made to invalidate a non-canonical address. Older flushing mechanisms such as INVLPG tolerate this without error, and perform no action. There is one guest accessible path in Xen where a non-canonical address was passed into the TLB flushing code. This previously had no ill effect, but became vulnerable with the introduction of PCID to reduce the performance hit from the Meltdown mitigations.
References: https://seclists.org/oss-sec/2018/q4/155
Acknowledgments: Name: the Xen project
Created xen tracking bugs for this issue: Affects: fedora-all [bug 1651970]