On Mon, 10 Oct 2016, Linus Torvalds wrote:
> But the fact that it reacts _so_ badly to double-freeing issues when
> the freelist has become corrupted due to an object being free'd and
> then modified is clearly very fragile and not great.
Yup that is why the debug options move the freepointer after the object
and verify that the pointers in the chain point to valid objects in the
slab page. slub_debug has special logic to detect double freeing and that
option can be enabled separatelhy.