The ISRG Wants To Make the Linux Kernel Memory-safe With Rust (arstechnica.com) 124
mrflash818 writes: The Internet Security Research Group (ISRG) -- parent organization of the better-known Let's Encrypt project -- has provided prominent developer Miguel Ojeda with a one-year contract to work on Rust in Linux and other security efforts on a full-time basis. Rust is a low-level programming language offering most of the flexibility and performance of C -- the language used for kernels in Unix and Unix-like operating systems since the 1970s -- in a safer way. Efforts to make Rust a viable language for Linux kernel development began at the 2020 Linux Plumbers conference, with acceptance for the idea coming from Linus Torvalds himself. Torvalds specifically requested Rust compiler availability in the default kernel build environment to support such efforts -- not to replace the entire source code of the Linux kernel with Rust-developed equivalents, but to make it possible for new development to work properly. Using Rust for new code in the kernel -- which might mean new hardware drivers or even replacement of GNU Coreutils -- potentially decreases the number of bugs lurking in the kernel. Rust simply won't allow a developer to leak memory or create the potential for buffer overflows -- significant sources of performance and security issues in complex C-language code.
Inaccurate summary (Score:5, Informative)
"Replacement of GNU Coreutils" has nothing to do with the kernel. And also, "Rust simply won't allow a developer to leak memory" is a false statement, see https://doc.rust-lang.org/book... [rust-lang.org]
Re:Inaccurate summary (Score:5, Insightful)
"Replacement of GNU Coreutils" has nothing to do with the kernel.
Absolutely. As someone who is a big supporter of Rust, this whole thing from start to finish sounds like someone who has no idea what Rust is about made it up. Additionally we already have a GNU coreutil in Rust with uutils [github.com]. Is a really neat project, not exactly ready for prime-time, but is absolutely a project that's got some really enthusiastic people behind it. Additionally, what they do have done is quite good.
And also, "Rust simply won't allow a developer to leak memory" is a false statement
Absolutely. Rust will prevent you from SOME kinds of leaks, but shoot. There's literally a Box::leak [rust-lang.org] that literally allows you to on purpose leak memory. Getting around the Rust compiler to leak memory is done in very obvious and easy to find ways, so if your code review requires that you not do those things, you going unsafe/using a leak method/not using weak reference is going to stand out like a klaxon in a cucumber patch. However, outside of a code review, there's literally nothing stopping you from telling the compiler to stop being such a snob on the code.
Everything in this article is bad, bad, bad, and double bad. There are zero reasons at this time to whole hog swap the Linux Kernel over to Rust. There's still tons of work to do in the compiler to make it really shine and perhaps one day Rust will be ready to take on something as complex as the Linux kernel, but it is not this day.
Enforcing a ban on unsafe Rust (Score:2)
if your code review requires that you not do those things, you going unsafe/using a leak method/not using weak reference is going to stand out like a klaxon in a cucumber patch. However, outside of a code review, there's literally nothing stopping you from telling the compiler to stop being such a snob on the code.
That's true for now and for Rust.
It's never been true of C# or Java. C# runs in a virtual machine called the CLR, and the CLR can verify when loading a program whether or not it has anything unsafe in it. Several platforms using the CLR have had a policy of no unsafe code, namely Silverlight, Windows Phone 7, and Xbox Live Indie Games. Likewise, the Java platform has JNI to segregate "unsafe" things, and several Java profiles (applet, MIDP, and the like) ban JNI. If Rust gets ported to such a virtual machin
Re: (Score:2)
There's literally a Box::leak [rust-lang.org] that literally allows you to on purpose leak memory.
Why would such a thing exist? Shouldn't something somewhere have a reference to the memory for it to be useful?
Re: (Score:2)
How about: Your device needs a section of main memory allocated to it for working space but you don't do anything with it after the allocation.
Re: (Score:2)
one day Rust will be ready to take on something as complex as the Linux kernel, but it is not this day
You seem to be a bit out of touch. A simple device driver in Rust has already been posted to LKML [lwn.net] and Linus is basically on board with the project.
Re: (Score:2)
I would counter that you are the one who seems to be out of touch. From the actual email [lkml.org]:
Please note that the Rust support is intended to enable writing drivers and similar "leaf" modules in Rust, at least for the foreseeable future. In particular, we do not intend to rewrite the kernel core nor the major kernel subsystems (e.g. `kernel/`,`mm/`, `sched/`...). Instead, the Rust support is built on top of those.
So when I say as complex as the kernel itself, that's backed up by statements from the actual kernel maintainers. You can present your arguments on technical merit, but if you're diving into semantics of what "something as complex as the Linux kernel" means, you can go fuck off. I don't deal with semantic peons.
Re: (Score:2)
You must be a lot of fun at parties. You sure beat that straw man all to pieces. Rust is targeted at drivers for the time being, not core. Nobody with a clue thinks even that will be a walk in the park, but there is significant momentum behind the experiment.
My, this topic does seem to flush the antisocials out into the open.
Re: (Score:2)
You must be a lot of fun at parties
I am because I go to the parties that have people who know what they are talking about in attendance.
Nobody with a clue thinks even that will be a walk in the park, but there is significant momentum behind the experiment.
So you think the comment:
one day Rust will be ready to take on something as complex as the Linux kernel, but it is not this day
applies here, good to know that you are not above the fray of changing your mind when presented evidence.
My, this topic does seem to flush the antisocials out into the open.
Yes, accurate description of me, thank you. To counter, time has value. So before you begin opining on "how out of touch I am", perhaps you can save us all some time and read the email that you yourself linked in your pointing out of "how out of touch I am" and come to the posit
Re: (Score:2)
What a self obsessed windbag.
Re: (Score:2)
Right, the Rust "safety" involves run time overhead. In a lean and mean kernel (which really doens't apply to the big Linux kernel :-) you don't want extra run time overhead. So Rust allows you to turn off the safety when you need to, which is needed in this case. Rust would be used in the same way that C is used, only with a different syntax and with mostly the same level of safety as a late model GCC. Any benefits would accrue solely from static analysis and stricter type rules.
Rust has no idea whatso
Re: Inaccurate summary (Score:2)
Right, the Rust "safety" involves run time overhead.
Mostly false. The rust runtime is actually comparable in size and complexity to the C runtime. It's quite small. Just like C, there are a few minor safety checks at runtime, (for example, heap integrity checking) but not many. Most of the safety guarantees happen at compile time. But also like C, the runtime can be skipped entirely or replaced, just as the Linux kernel already does in favor of its own panic handler.
So Rust allows you to turn off the safety when you need to, which is needed in this case.
Only in some parts, but even so, unsafe rust actually offers more safety guarantees at compil
Re: (Score:2)
Even a NULL pointer is perfectly valid many times because "0" is a valid memory location (the trick to avoid the first 1MB on Linux applies only to PCs).
NULL pointers are valid, because C says you can have a pointer to any location. The trouble only comes when you try to dereference it. C also has the extra "guarantee" that 1-past-the-end pointers are valid for comparison with other pointers derived from that underlying object/array, but that pointer can never be dereferenced safely.
Re: (Score:3)
As for kernel vs application code, Rust a
Re: (Score:2)
As for kernel vs application code, Rust already compiles against baremetal, and kernels and user land. The global allocator can be changed as appropriate.
Actually, that's a big problem for Rust in kernel - kernel doesn't just have one global allocator, it has many different allocators, including slab, pages, pools, limited heap-like vmalloc, others. Rust will need to learn some fundamental new tricks to accommodate these. Box simply isn't enough. Not to worry, bright minds are involved and it shall be done, but it's not just a matter of changing "the global allocator", far from it.
Re: (Score:2)
"Replacement of GNU Coreutils" has nothing to do with the kernel.
-5, Reading Comprehension.
Supporting Miguel Ojeda’s Work on Rust in the Linux Kernel [memorysafety.org]
Re: (Score:3, Insightful)
No actual experience with the Linux kernel or the Rust language, but I have experience with C/C++ and C#/Java to make the comparison.
Re: (Score:2)
Re: (Score:3)
I'm working on low level code now where I really suspect the original devs really had no clue how C works, and their primary method of development is cutting-and-pasting code from others. I see tons of typedefs that are not needed in any way, it was just a habit as if the developer though that every assignment to a variable required a type cast, really bizarre stuff. I see typecasting pointers to (void*) which just shows that the dev has never read a C standard or a C textbook (like using a bandsaw for yo
Re: (Score:2)
I suppose my chief problem here is that when working in any kernel, particular with memory management and device drivers, you're pretty much going to have to turn most of the safeties off, at which point, is Rust really any more secure than C/C++? At the end of the day, no matter how much people like Linus may bitch and groan, microkernels still have something of an edge here.
Re: (Score:3)
you're pretty much going to have to turn most of the safeties off
Rust allows you to turn off specific safeties and only for the minimal sections of code.
Even for a device driver, only a few "wild" pointers are needed, and they should only be used in clearly marked code blocks.
is Rust really any more secure than C/C++?
In the hands of an experienced and highly skilled device driver programmer, maybe not.
In the hands of your average co-worker, definitely.
microkernels still have something of an edge here.
With a microkernel, you can continue to service serial interrupts after your filesystem segfaults.
The number of people who find that useful: 0.
Re: (Score:2)
Re:Inaccurate summary (Score:5, Insightful)
Then why have different languages at all? We all know that programming languages are turing complete, so why even bother making new ones with new syntax?
Let's just pick one language and add modules to it forever, because apparently language choice doesn't matter.
This is a deeply asinine statement and I wish people would stop repeating it. Some languages make things easier than others. C is a great language, but one of the things it makes easy is stomping on memory and crashing. To say that we can't do better with modern languages with modern affordances is ridiculous.
Bad code will always exist, sure, but some languages give you less rope to hang yourself with. Or at the very least, they hang you in a completely different way. Sometimes the tradeoffs are worth it.
Re: (Score:2)
Some languages make things easier than others.
English vs German.
Re: (Score:2)
Re: (Score:2)
Nice idea but poor choice of example.
As a native English speaker (UK citizen), I would argue that for speakers of neither language, German would be the easier of the two to learn.
Spelling is consistent and logical - if you can read it, you can pronounce it - same way, every time (unlike the vagaries of English - eg number of ways of pronouncing ough)
Tenses are simpler
Word order is deterministic
As for C vs Rust -- I don't have enough knowledge of Rust to form an opinion, but this will be an interesting large
Re: (Score:2)
German spelling is only mostly consistent and German has a lot of unmarked long vowels.
Re: (Score:2)
Way way back when I was a TA for a compilers class I had a relatively bright student ask me "why do we need to learn this stuff, we already have a compiler?" I was kind of baffled he would even ask it, since he did work on mutliple types of machines. I do remember him being really annoyed that his favorite optimization tricks on the VAX did not work on the new fangled Suns.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
First thing ... (Score:5, Funny)
Re: (Score:3)
I still don't understand how systemd managed to take over Linux. I assume it has something to do with RedHat, but with all I've read, I just get more confused how they managed to pull it off on a system that's supposed to be open source.
Re: (Score:2)
Re:First thing ... (Score:4, Insightful)
I still don't understand how systemd managed to take over Linux.
Lots of admins can't actually program. A couple of bash scripts confuse them. They'd rather set up a configuration file and hope that whatever reads and executes based on its settings accounted for all the possible use cases. If not, too bad. NOTABUG. WONTFIX.
Poettering's laptop boots just fine. He doesn't understand why your datacenter servers do not.
Re: (Score:2)
Yeah, it feels like there's room in the world for "SensibleD" - systemd without the stupid. Just enough to get the system to boot but no more than that. If you want all of Poettering's crap, then you can install it as add-ons, but otherwise, you get to boot and do no more. Timers, DNS, pluseaudio and that crap he was talking about for home directory permissions - forget all of it.
FWIW, I do rather appreciate having my process's STDOUT go straight to syslog, and not having to do that whole double fork malarc
Re: (Score:3)
Listen to what Benno Rice has to say about the tragedy of systemd
https://youtube.com/watch?v=o_... [youtube.com]
The concept is good. My biggest bug bear is that its systemctl action service rather than systemctl service action. If you don't understand the issue with that you don't understand the problem. Also when running in a terminal it should give you some fecking feedback as to whether the service started or not.
One does get the feeling that Pottering has never actually had to look after a bunch of servers. I think t
Re: (Score:2)
One does get the feeling that Pottering has never actually had to look after a bunch of servers. I think the proposal to have all your screen/tmux/nohup killed when you logout is extremely illuminating.
Wait...what?!
Re: (Score:2)
here's your sign [ycombinator.com]
(The sign says STOP, and under "STOP" there is a sticker that says systemd)
Re: First thing ... (Score:3)
Systemd *almost* took over. Devuan, Gentoo and Funtoo all fully support openrc and Devuan still supports sysv init. It works just fine on my modern Dell xps laptop. Support those distros and keep them alive.
Re: (Score:2)
Slackware too!
Re: (Score:2)
i detect a fork of the kernel coming (Score:3)
Re:i detect a fork of the kernel coming (Score:4, Insightful)
"One developer" to rewrite the work of more than 20 years of programming by an entire team? tbh it will be an achievement if they get a single driver written in Rust.
Re: (Score:2)
Re: (Score:2)
hey, it's a "prominent" developer, you insensitive clod!
anyway, the real fun of all this will come in a year when (if!) linus is asked to accept the genius hypersafe work into the kernel. this can be epic.
Re: (Score:2)
Re: (Score:2)
They already have Rust working for the most part...The issue is getting Rust to work in a way that doesn't panic by default on certain runtime errors.
Is there a source for what you are saying here?
Re: (Score:2)
Re: (Score:3)
How are they going to do any sleeping in the kernel? Everyone knows Rust never sleeps!
Why Rust? (Score:5, Funny)
They should use JavaScript for this. It's more mature and provides all the same guarantees.
Re:Why Rust? (Score:4, Funny)
How about bash? It's more mature. And seeing as how it's used as the system glue/duct tape/whatever on Linux systems, it should be well tested and debugged by now.
Re: (Score:3, Funny)
Re: (Score:2)
Real programmers set the universal constants at the start such that the universe evolves to contain the disk with the data they want.
Re: (Score:2)
I'd laugh if someone did it in COBOL.
Re: (Score:2)
Why Rust?
Because you can still offline other clan's bases. It's the great equalizer.
I mean, think how unfair it would be if people in different timezones couldn't get into your base server just because you don't happen to be logged in 24/7.
Re: (Score:2)
They should use JavaScript for this. It's more mature and provides all the same guarantees.
I was going to suggest PHP ... (ducks)
False and exaggerated Rust claims (Score:5, Insightful)
Rust would have to use unsafe mode for kernel and drivers, the claims of Rust safety extending to this type of systems programming are utter rubbish. Rust devs might even introduce all manner of new kinds of bugs since their language not intended for OS kernel. (please don't bother linking cute little toy projects)
Re: False and exaggerated Rust claims (Score:2)
Actually even "unsafe" rust offers more safety guarantees than C.
Re: (Score:2)
Re: (Score:2)
Actually that's impressive considering that it's very much a beta right now, and even then that is from 3 years ago.
Also, rust doesn't guarantee no crashes. In fact, it's easy to make your program crash:
let foo: Option<i32> = None;
foo.unwrap();
And that's a good thing, it did exactly what we told it to do, and we'd way rather our programs crash than do unexpected things.
There are ways of making it freeze as well:
loop {};
But that isn't undefined behavior, which is what Rust is good at preventing.
Re: (Score:2)
Intentional panic is arguably not really a crash. You have to work a bit harder to make Rust segfault.
Re: (Score:3)
Assertion made without a shred of proof. When or if someone makes a production grade OS out of Rust we'll see.
Re: False and exaggerated Rust claims (Score:3)
https://doc.rust-lang.org/book... [rust-lang.org]
You can take five actions in unsafe Rust, called unsafe superpowers, that you canâ(TM)t in safe Rust. Those superpowers include the ability to:
Dereference a raw pointer
Call an unsafe function or method
Access or modify a mutable static variable
Implement an unsafe trait
Access fields of unions
Itâ(TM)s important to understand that unsafe doesnâ(TM)t turn off the borrow checker or disable any other of Rustâ(TM)s safety checks: if you use a reference in unsafe code, it will still be checked. The unsafe keyword only gives you access to these five features that are then not checked by the compiler for memory safety. Youâ(TM)ll still get some degree of safety inside of an unsafe block.
In addition, unsafe does not mean the code inside the block is necessarily dangerous or that it will definitely have memory safety problems: the intent is that as the programmer, youâ(TM)ll ensure the code inside an unsafe block will access memory in a valid way.
Re: (Score:2)
You must know nothing of kernel and systems programming if you think that's an argument for Rust affording any protection
Re: (Score:2)
You must know nothing of kernel and systems programming if you think that's an argument for Rust affording any protection
Generally when one wants to argue...they make an actual argument.
Re: (Score:2)
kernel and systems level programming requires all of those unsafe things.
the only one not understanding the argument is you the utterly ignorant Rust shill.
Re: (Score:2)
kernel and systems level programming requires all of those unsafe things.
Yes...nobody said it doesn't...
By the way, has anybody ever mentioned to you that you may be a few cards short of a full deck? Just so you know, they're not actually talking about cards.
the only one not understanding the argument is you the utterly ignorant Rust shill.
Oh noes you figured me out! Now how will I collect my shill money from some forces unknown that have a financial stake in people not paying any money to use Rust...
But seriously, I really doubt ISRG, Google, Microsoft, Linus Torvalds, and many more groups/people that know a hell of a lot more about systems programming than y
Re: (Score:2)
Actually even "unsafe" rust offers more safety guarantees than C.
1. Empty claim, no proof given. Just like any cult that claims that of course _they_ have the best beliefs.
2. Does not matter. When doing C or unsafe Rust, you need to understand what you are doing.
Re: (Score:3)
Heathens...
1. Empty claim, no proof given. Just like any cult that claims that of course _they_ have the best beliefs.
Well you can just try it for yourself if you want. Here's an example:
unsafe {
let foo;
{
let bar = "bar";
foo = &bar;
}
foo.len();
}
Spoiler: It won't compile. If it did, that would be a dangling pointer. Even though it's defined in an unsafe block, that safety feature remains intact. Just one among many that don't even exist in C at all.
Re: (Score:2)
Who cares about an isolated special case that a code scanner would find without problem in basically any language? Or that even valgrind would find?
Oh, right, somebody without a clue about the actual issues would care.
Re: False and exaggerated Rust claims (Score:2)
Except it's neither isolated, nor a special case.
https://doc.rust-lang.org/book... [rust-lang.org]
Re: (Score:2)
Indeed. These people are persistent idiots and liars. Their fetish language _cannot_ deliver what they claim it can. And unsafe mode in Rust will be far worse, because a C coder actually knows of the dangers and has experience with them, while the Rust disciples are used to being protected and coddled. Without their safety-net, they will just keep screwing up badly.
My take is that Linux is actually just giving them enough rope to hang themselves. And they will.
Re: (Score:2)
Re: (Score:2)
Plus, the only unsafe parts of your kernel code that may well be hived off behind a safe API, already written for you.
Re: (Score:2)
Apparent that you haven't looked at the Rust in kernel project, nor are you familiar with Rust. The plan is to provide device driver authors with a safe API by shelling unsafe kernel APIs with mostly zero-cost safe abstractions. As a typical example, spinlock release can be guaranteed when it goes out of scope. Of course there are many complexities and it is highly unlikely that every unsafe hole will be plugged. But when the kernel community decides to do a thing, that thing usually gets done. Git for exam
Re: (Score:3)
but that's false, since kernel code must have unsafe mode code in it.
Rust fanboy delusions...
Rust in the wind... (Score:2)
This seems misguided (Score:2)
Why are they looking at Linux; why not Windows? Oh yeah, they can't do that, can they?
Re: (Score:2)
Why are they looking at Linux; why not Windows?
Actually, Microsoft itself is integrating Rust into their Windows OS and apps.
Re: (Score:2)
But Microsoft can, and are. They are a part of the Rust Foundation and have been adopting Rust for internal use for a number of years now. Their main motivation, from what I've seen in talks, is the 70% or so of Windows vulnerabilities coming from memory safety issues. They seem to feel a significant portion of that can be eliminated by using a safer language like Rust.
Even if you have to use unsafe to accomplish some specific operation in Rust, people seem to forget that the "unsafe" keyword is a bit of a
Its not the language thats the problem (Score:3)
Its people not following good coding principles.
Re: (Score:2)
Its people not following good coding principles.
Indeed. But there is a lot of bad coders that are blaming their tools and keep hoping for that one "silver bullet" language that finally will make their code not suck. Of course, that will never happen as it is fundamentally impossible. These people just keep avoiding facing the truth.
Re: (Score:2)
Not possible (Score:2)
You cannot make an OS kernel memory safe. I think these people have no clue what they are talking about.
Re: (Score:2)
Rust in kernel is targeted at device drivers, not core. It should be possible to provide safe APIs for the vast majority of things device drivers need to do. Linus is at least on side with the experiment.
Re: (Score:2)
I thought that the point was that it *is* broken. Just a little bit broken but that's enough for Linus T.
As an aside, how stable is Rust? I don't know the language myself but read a comment from someone who does, that programming Rust is a moving target - new levels break old features. Opensuse Leap 15.2 and 15.3 both come with Rust 1.43.1, presumably because introducing a newer level would cause too much damage. 1.53.0 is the current level according to https://www.rust-lang.org/ [rust-lang.org].
Re:Don't fix it if its not broken. (Score:4, Insightful)
Rust has a clear policy on breakage. It is mostly forward compatible and breaking changes are not introduced by design. Obviously, it can happen by mistake, through a regression, but the Rust team are fairly good at not doing that.
Breaking changes can be made at a language level with a new "edition" (approximately once every three years). But, even then, the compiler can cope with building an individual library against the old edition and more, that ABI is stable across editions.
There are two previous editions 2015 and 2018. Any code written since 2018 will compile with the current version of the Rust compiler since that is also Rust 2018 edition (although, of course, the compiler binary from 2018 might not be able to compile code written for todays compiler). You can also compile any code written for Rust 2015 with todays compiler without change. You might not be able to combine code written for 2015 and 2018 in to the same library, however you could compile two libraries one in 2015 and one in 2018 and link them together, all with todays compiler.
It's a pretty good stability story. I would imagine that Opensuse is on 1.43 because many rust developers use rustup which installs in user space and produces binaries that work with 1.43. So no one is clammouring for updates.
Re: (Score:2)
There is a package which requires rust >= 1.47 in order to build, I know there have been inquiries within OpenSuse on this. Someone cares, but obviously some others care more so the level remains where it is.
The last time I looked (the end of April) OpenSuse Tumbleweed used rust 1.51 but Leap 15.2 - released at the start of this month - stayed with the older level. I know virtually nothing about the ins and outs of the situation but the bottom line is obvious.
Re: (Score:2)
Presumably because such an endeavor would be a chicken and egg problem.
Insufficient code would be developed for it because there are no users, no one will use it because there isn't enough developed to use.
If they can leave a mostly-C kernel intact and demonstrate rewrites of certain portions in Rust, there's a non-zero chance of it making headway, since that approach would have full kernel functionality, even if it isn't 'pure' rust. If there's enough technical will, that would be the path to go from purel
Re: Why start over? (Score:2)
Mandatory RAII is a bad thing?
Re: Why start over? (Score:2)
Why?
Re: (Score:2)
Some other people hate RAII because they don't understand that RAII for trivially destructible objects (eg POD structs) has no overhead for destruction. C-style structs in C++ have no RAII overhead a
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
> Imagine if instead of a new language there were new language features and a compiler warning level that spat out all of the "unsafe" things. People could just switch over time so that their module no longer generated any warnings
We do have that. Heck, the *defaults* for gcc for the last several years cover most of the unsafe code. Modern gcc also includes mitigations that make legacy unsafe code more safe, like stack canaries.
However, fundamentally C is designed to let the programmer do what they want
Re: (Score:2)
But this isn't what happened.
Re: (Score:3)
third possibility: experience induced cynicism over industry fads.
that's actually a healthy sign of maturity for any developer.
Java could be as fast as C (Score:2)
The reasons for issues are not deep. Things like using UTF16 everywhere. And not having Structs. And the fact that many Java programmers write bloated code.
A better comparison would be C#.Net which as those, as well as an unsafe operator that can be used with care when needed.
Experiments long ago showed that garbage collected code could be more efficient than reference counting which incurs a loss at each allocation. And it avoids memory fragmentation.
For most of the Kernel a modern garbage collected la
Re:Java could be as fast as C (Score:4, Informative)
Experiments long ago showed that garbage collected code could be more efficient than reference counting which incurs a loss at each allocation. And it avoids memory fragmentation.
Garbage collection in VMs avoid fragmentation because the programs running in them don't work with real memory. So they can move things around to compact the heap and silently rewrite pointers to point to the new location. Kernels cannot do that. Kernels don't even have the luxury of virtual memory, let alone virtual pointers on top of it.
Kernels aren't also in the business of making heap allocations will nilly, because even if there were no reference counting, heap allocations are still too expensive in terms of both time and latency.
There's also nothing stopping C/C++/Rust programmers from using custom allocators. Even in managed languages like Java or C#, if you want performance, you also use custom allocation strategies, like ring buffers, or memory pools, or such like. Really, the garbage collected code is only "more efficient" because it is basically "controlled leaking". I've seen small programs use gigabytes of real memory compared to an equivalent C++ program. Once you add enough GC calls does it reduce memory usage by an order or magnitude, but then the program becomes an order of magnitude slower.
A few percent really does not matter in the scheme of things.
It does if you're the kernel. Any unnecessary slowdown in the kernel means the middleware running on top of that, and the applications running on top of the middleware, are slowed down even more. Making a system call is already expensive, and if you had unnecessary overhead to the system call's actual operation, then applications become unusable.