Comment 6 for bug 1940296

/* Check whether timer is valid; global mutex must be held. */
static inline int
timer_valid (struct timer_node *timer)
{
  return timer && timer->inuse == TIMER_INUSE;
}

if some memory, casted to a timer_node struct, happens to have inuse field match the value of TIMER_INUSE the validation check passes, and it is attempted to be used.

What could be done is check if the passed in timer, is actually in __timer_array, such that we only try to operate on the valid ones.

Not sure what glibc prior to 2.33 did to check/detect it.