Shared memory ids are stored in struct tee_device, which is common to all clients connected to tee driver.
A potentially malicious user space client can hijack shared memory allocated to another user space client by spoofing id.

Although, ids are created using idr_alloc, it is better to either store pid's in struct tee_shm (so that we can verify when referred) or store struct tee_shm in struct tee_context for every user space client (while searching for ids we use the tee_shm from tee_context, this way there is no need to do additional pid checking).