Thirty years of a single language
For over thirty years the Linux kernel has been written exclusively in C, with small portions in assembly for low-level hardware interfaces. C offers the direct control over memory and hardware that a kernel requires, but at a known cost: memory safety vulnerabilities — use-after-free, buffer overflow, data race — account for a significant share of kernel security bugs. Data from the Google Android project indicates that the majority of critical vulnerabilities in kernel components stem from memory management errors.
The proposal to introduce Rust as a second language in the kernel, discussed for years in the community, reaches a concrete milestone with kernel 6.1.
The Rust infrastructure in kernel 6.1
Kernel 6.1, whose merge window closes in October 2022, includes the initial infrastructure for writing kernel modules in Rust. This is not about rewriting existing components: the goal is to enable the development of new drivers and modules in a language that eliminates by construction entire classes of memory bugs.
The infrastructure comprises several components. Bindings to the kernel’s C APIs allow Rust code to interact with the existing kernel’s data structures and functions. A custom allocator integrates the kernel’s memory allocation system with Rust’s ownership model. A kernel-specific panic handler manages unrecoverable error situations in the kernel context, where a panic cannot simply terminate the process.
Integration challenges
Integrating Rust into a thirty-million-line C project presents unique challenges. ABI conventions must be compatible: Rust data structures crossing the boundary with C must respect the C memory layout. The kernel build system, based on Kbuild and Make, must support Rust compilation alongside C.
The debate within the kernel community has been lengthy. Linus Torvalds welcomed the proposal pragmatically, accepting the merge into the 6.1 release. Other maintainers expressed concerns about added complexity. The decision was to proceed incrementally: the infrastructure enters the kernel, the first experimental drivers will follow.
A precise goal: new drivers
The stated goal is not to rewrite existing kernel subsystems in Rust — an undertaking impractical in both scale and risk. The goal is to offer future driver developers — the kernel component most prone to memory bugs, often written by teams with less kernel experience — a tool that prevents vulnerabilities at compile time rather than detecting them at runtime.
A historic precedent
The inclusion of Rust in the Linux kernel is an unprecedented event in the project’s history. For the first time in thirty years, the kernel welcomes a second system programming language. The decision reflects a pragmatic recognition: C remains irreplaceable for existing code, but for new code there is an alternative that offers safety guarantees without sacrificing performance.
Link: kernel.org