Linus, however, is not distributed. If a malicious commit was discreetly slipped into his repository as a seemingly Linus-sourced change, there is enough trust in him that the change would likely propagate.

Not without going through a quite extensive review process and then finally getting signed off (with a crypto signature) by several people.

It's not entirely impossible but there are far more easier ways of getting malware out there.

The ultimate goal might not be to simply get malware out there per se, but to discredit Linux's reputation as a secure OS.

If that is the case, going to extra trouble to infect Linux kernel source may well be worth it for the attackers.