Why the Linux Kernel is Embracing Rust: Inside the Debate and Policy Fight

Background

In a recent Linux‑kernel mailing‑list thread, senior developer Greg Kroah‑Hartman urged contributors to welcome developers who want to improve the kernel with Rust code.

He acknowledged that mixed‑language codebases are rough and hard to maintain, but emphasized the long‑term benefits of adding a memory‑safe language.

Earlier, a proposed patch allowing Rust‑written device drivers to call the core DMA API (written in C) was challenged by maintainer Christoph Hellwig, who likened multi‑language codebases to cancer and resisted the added maintenance load.

The dispute escalated, prompting Asahi Linux lead Hector Martin to ask Linus Torvalds to decide on the patch. Torvalds defended the kernel development process and rebuked Martin’s public posturing; Martin later stepped down from his Linux maintenance roles.

Policy Fight

Miguel Ojeda, leader of the Rust‑for‑Linux project, published a “Rust Kernel Policy” to reassure the community.

Hellwig reiterated his concerns about mixing Rust and C, criticizing that the policy document lived outside the kernel tree.

He questioned the purpose of the Rust experiment, noting that many severe bugs stem from memory‑unsafe C code and that substantial work has already been invested in fixing such issues.

Rust was added to the Linux kernel in 2022 because of its superior memory safety compared to C.

Experts argue that most critical bugs in large codebases arise from memory‑safety errors, which could be avoided by using safe languages like Rust, Go, C#, Java, Swift, Python, or JavaScript.

However, seasoned C/C++ programmers worry their skills may become less relevant, leading many to seek memory‑safety solutions without blindly adopting Rust.

Kroah‑Hartman, responding to Microsoft kernel engineer Feng Boqun, highlighted that most bugs he sees are tiny C edge‑cases that disappear in Rust.

He explained that issues such as simple memory overwrites, error‑path cleanup, missed error checks, and use‑after‑free are largely eliminated by Rust, freeing developers to focus on logical bugs and race conditions.

He also stressed that while improving C code remains important, new code and drivers written in Rust would avoid these classes of bugs, benefiting everyone.

Other voices, like Google kernel security engineer Kees Cook, agree that rewriting existing code is risky, but using Rust for new development is highly effective.

In the debate over Ojeda’s policy, Hellwig corrected the claim that some subsystem maintainers outright reject Rust, noting that Linus Torvalds would merge Rust code despite maintainer opposition, and that developers must confront Rust regardless of personal preference.

Recent Developments

Linus Torvalds politely responded to Hellwig’s objections about adding Rust bindings for the DMA API, pointing out that the proposed Rust code does not touch the C‑maintained core components but serves as an interface between the unchanged C API and Rust drivers.

He clarified that a maintainer cannot control who uses their code and that ignoring Rust contributions effectively forfeits any say over Rust‑related changes.

“I technically respect you, and I enjoy working with you,” a kernel lead added.