The Google security blog has a
detailed article on what a device driver written in Rust looks like.
“That is, we use Rust’s ownership discipline when interacting with C
code by handing the C portion ownership of a Rust object, allowing it to
call functions implemented in Rust, then eventually giving ownership
back. So as long as the C code is correct, the lifetime of Rust file
objects work seamlessly as well, with the compiler enforcing correct
lifetime management on the Rust side, for example: open cannot return
stack-allocated pointers or heap-allocated objects containing pointers to
the stack, ioctl/read/write cannot free (or
modify without synchronization)
the contents of the object stored in filp->private_data, etc.“

Source: LWN.net – Rust in the Linux kernel (Google security blog)