Why Linus Torvalds Slammed Security‑Hardening Patches in Linux 4.15

Background

During the merge window for Linux 4.15, Kees Cook submitted a series of patches to harden the usercopy subsystem (v4.15‑rc1). The patches introduce an explicit whitelist for slab cache regions that are safe for usercopy, reducing the attack surface for usercopy‑related memory bugs.

Patch Details

Explicit whitelisting of slab cache objects used by copy_to_user and copy_from_user.

Fallback mode that disables the whitelist when an unlisted region is accessed, preserving existing functionality.

Cook noted that a few whitelist entries were missing; the fallback is intended as a temporary safety net and will be removed after one or two releases.

Community Reaction

Linus Torvalds questioned the usefulness and testing coverage of the changes, calling the patches “just bugs” and warning that the new rules could cause kernel crashes. He argued that security fixes should be treated like ordinary bugs, not as a reason to change the kernel’s execution model.

Paolo Bonzini (KVM maintainer) and other developers defended the patches, urging Linus to merge at least a subset even after the -rc1 stage.

Cook’s Response and Future Work

Cook acknowledged that the patches were introduced late in the development cycle, limiting thorough testing. He plans to refine the series, improve test coverage, and target inclusion in the 4.16 release, with the intention of removing the fallback mode after it has proven stable.

Key Takeaways

Security hardening should be accompanied by adequate testing before being merged.

Linus emphasizes that security issues are bugs, not a justification for aggressive kernel‑killing policies.

Explicit whitelisting can reduce the vulnerable memory region for usercopy, but fallback mechanisms must be carefully managed.