I did mean to leave a review a couple of weeks ago, but forgot, sorry!

Imo, given that this is not in ehal proper, and if required the users who need poisoning can write their own bus wrapper (and maybe PR it back here?), this LGTM.

ehal bus is not ehal and we can be a bit more selective on what level of support we want to provide out of the box :D.

After discussion in today's meeting I now believe we should not require infallible pins, we shold instead keep the current implementation, document how it handles errors and recommend the user use another implementation if it doesn't suit their requirements.

the TLDR is

• This doesn't fix the full problem: there's a similar case where flush fails so the SPI keeps clocking out buffered bits, we deassert CS then unlock the bus, another driver asserts their CS and now the buffered bits go to the wrong device. Therefore we should require infallible SPI too, but that's not practical
  • @GrantM11235 proposed an alternative: specify flush must not return before SPI is stopped in ALL cases, even on failure, but I don't believe this is generally feasible and I don't think it's worth complicating the SpiBus contract to accomodate for SpiDevice implementation technicalities.
• Therefore we should apply the same "policy" to SPI and CS errors. Not doing so would be inconsistent. However most SPIs out there are fallible, so this would be quite burdensome for the user.
• the 3rd alternative (poisoning) is too complex, it requires wrapping the SPI bus into an "inner" struct for all users even if they're not affected by this problem. It's also not zero cost.