Rust PCI drivers might need to access device configuration space with
runtime bound check. The existing ConfigSpace abstraction only provides
infallible methods (read8/16/32) that use compile-time bounds checking via
io_addr_assert, which cannot handle dynamic offsets.

Add fallible I/O methods to ConfigSpace.

Signed-off-by: Zhi Wang <zhiw@nvidia.com>
---
 rust/kernel/pci/io.rs | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/rust/kernel/pci/io.rs b/rust/kernel/pci/io.rs
index 026e7a3b69bd..9fc9af0f9bfc 100644
--- a/rust/kernel/pci/io.rs
+++ b/rust/kernel/pci/io.rs
@@ -112,6 +112,17 @@ macro_rules! call_config_read {
         let _ret = unsafe { bindings::$c_fn($self.pdev.as_raw(), $addr as i32, &mut val) };
         val
     }};
+
+    (fallible, $c_fn:ident, $self:ident, $ty:ty, $addr:expr) => {{
+        let mut val: $ty = 0;
+        // SAFETY: By the type invariant `$self.pdev` is a valid address.
+        let ret = unsafe { bindings::$c_fn($self.pdev.as_raw(), $addr as i32, &mut val) };
+        if ret != 0 {
+            Err(EIO)
+        } else {
+            Ok(val)
+        }
+    }};
 }
 
 /// Internal helper macros used to invoke C PCI configuration space write functions.
@@ -140,6 +151,16 @@ macro_rules! call_config_write {
         // Return value from C function is ignored in infallible accessors.
         let _ret = unsafe { bindings::$c_fn($self.pdev.as_raw(), $addr as i32, $value) };
     };
+
+    (fallible, $c_fn:ident, $self:ident, $ty:ty, $addr:expr, $value:expr) => {{
+        // SAFETY: By the type invariant `$self.pdev` is a valid address.
+        let ret = unsafe { bindings::$c_fn($self.pdev.as_raw(), $addr as i32, $value) };
+        if ret != 0 {
+            Err(EIO)
+        } else {
+            Ok(())
+        }
+    }};
 }
 
 // PCI configuration space supports 8, 16, and 32-bit accesses.
@@ -162,9 +183,7 @@ fn maxsize(&self) -> usize {
         self.pdev.cfg_size().into_raw()
     }
 
-    // PCI configuration space does not support fallible operations.
-    // The default implementations from the Io trait are not used.
-
+    // Infallible methods with compile-time bounds checking
     define_read!(infallible, read8, call_config_read(pci_read_config_byte) -> u8);
     define_read!(infallible, read16, call_config_read(pci_read_config_word) -> u16);
     define_read!(infallible, read32, call_config_read(pci_read_config_dword) -> u32);
@@ -172,6 +191,15 @@ fn maxsize(&self) -> usize {
     define_write!(infallible, write8, call_config_write(pci_write_config_byte) <- u8);
     define_write!(infallible, write16, call_config_write(pci_write_config_word) <- u16);
     define_write!(infallible, write32, call_config_write(pci_write_config_dword) <- u32);
+
+    // Fallible methods with runtime bounds checking
+    define_read!(fallible, try_read8, call_config_read(pci_read_config_byte) -> u8);
+    define_read!(fallible, try_read16, call_config_read(pci_read_config_word) -> u16);
+    define_read!(fallible, try_read32, call_config_read(pci_read_config_dword) -> u32);
+
+    define_write!(fallible, try_write8, call_config_write(pci_write_config_byte) <- u8);
+    define_write!(fallible, try_write16, call_config_write(pci_write_config_word) <- u16);
+    define_write!(fallible, try_write32, call_config_write(pci_write_config_dword) <- u32);
 }
 
 /// Marker trait indicating ConfigSpace has a known size at compile time.
-- 
2.51.0