Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2196010/?format=api
{ "id": 2196010, "url": "http://patchwork.ozlabs.org/api/patches/2196010/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260212162730.440855-3-adamhet@scaleway.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260212162730.440855-3-adamhet@scaleway.com>", "list_archive_url": null, "date": "2026-02-12T16:27:25", "name": "[2/2] block/curl: add support for S3 presigned URLs", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "52e4f055a4ef34d8b0cb1db29aeb7d183696b2af", "submitter": { "id": 90623, "url": "http://patchwork.ozlabs.org/api/people/90623/?format=api", "name": "Antoine Damhet", "email": "adamhet@scaleway.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260212162730.440855-3-adamhet@scaleway.com/mbox/", "series": [ { "id": 491995, "url": "http://patchwork.ozlabs.org/api/series/491995/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=491995", "date": "2026-02-12T16:27:23", "name": "block/curl: fix S3 presigned URL support", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/491995/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2196010/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2196010/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=scaleway.com header.i=@scaleway.com header.a=rsa-sha256\n header.s=google header.b=F1zvCAAw;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fBgjW6Qs6z1xr1\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 13 Feb 2026 03:29:03 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1vqZYZ-0001eO-M1; Thu, 12 Feb 2026 11:28:43 -0500", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <adamhet@scaleway.com>)\n id 1vqZY9-0001Q3-AU\n for qemu-devel@nongnu.org; Thu, 12 Feb 2026 11:28:17 -0500", "from mail-wm1-x329.google.com ([2a00:1450:4864:20::329])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from <adamhet@scaleway.com>)\n id 1vqZY3-0007jc-Nf\n for qemu-devel@nongnu.org; Thu, 12 Feb 2026 11:28:17 -0500", "by mail-wm1-x329.google.com with SMTP id\n 5b1f17b1804b1-4836f363ad2so266635e9.1\n for <qemu-devel@nongnu.org>; Thu, 12 Feb 2026 08:28:10 -0800 (PST)", "from localhost (710304585.box.freepro.com. [130.180.219.188])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-4835b958b6csm140710445e9.1.2026.02.12.08.28.08\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 12 Feb 2026 08:28:08 -0800 (PST)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=scaleway.com; s=google; t=1770913689; x=1771518489; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=R8Mg3xLx5AR9QnULNPfNm28Oi0tteTYNIGto3Ebs6+s=;\n b=F1zvCAAwSSoenJNkzD6tOQzdoK0wSTyEZLJQkqxMolH5ZC6cVvFN53NWVvt79gMaqk\n B/kXfN1/3O/j1WxBK8oey3t2gK3dDjN9wOdgNn0p5tU9PK7NWBcLcriDw9vBAWtfDLAR\n ClO+tR0HFKzwWGUnuFY+gX09KyoB42Pc5IYfXZRwbh+OsAraPALr5WwRZ1wD+19Pxb22\n BueDy5Ke5755Wotwv14n3xTITP5vTauO5wuzdcRnZdhu4zptRKzObwDt/tbZhLP1mxxK\n NXb1NVlz5kI2J/Q65a27tn7eZkN/yjPHFhjZhCy9pkkYoKgW7NcjW4XH6N4vz9xtM7RE\n SKEA==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1770913689; x=1771518489;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=R8Mg3xLx5AR9QnULNPfNm28Oi0tteTYNIGto3Ebs6+s=;\n b=STHd+cmjQUbo2zYZlKRyOcku+MUoBpqLoCpSojPOCB0934QrYhEpNaFznLd1wqIfk7\n h5xJ4aFsmrqYMvgeCwWOOfz4J6JvDJZJv1sGtNA4apd+kS07GeuWhRMmMczscSSx+1Q3\n gaJhDRaQTtEIPCR1K6NCf6vtbolQolnDTy9OkJCGsHBIDYuMtFjrDlsyt7bN7EujvTX8\n htvhEvemr7pI/9adw8HHihDISuNR0W/RFjf4uNe2/JJVLbn35Jzu1tlZZv21AEXJdV4X\n 0f4lKMbYEfwY99k9DXxgLVIhroL17yzcehHtWvZmNkTnYRNBL9Y3OOEJOoBoPnll+eYj\n CeWQ==", "X-Gm-Message-State": "AOJu0Yz75YA09QKTjS0dZbQqoA9RQ8uuP7zNRbtUpYor30u/KNe/NNTp\n FX1kvEwimwxWil6YFFmNeAC86/3Fvc+uakpJwC9U+HRl9HFXvcC3SN+Fo/uqw6IHweO0RxRPtTG\n caqd+", "X-Gm-Gg": "AZuq6aI010WwowMP8sk7gnXZk8tqtm0Wp/qaX5OPvyIwxFPDNjTlcki7+U4opP4Ie4V\n 25e9wTHcvsJQ9WHz+pi8Rjuo1kIZDn2mBvauUjZcTulbJ7CbXEYPxjcICswLVzAlLCD7zDuQlmS\n bqDtxj+d9hDCu2wlDa2QyYJiMYl53Ll4X0QEgLfDiFf4dLYcpwvIhHFFkB/PHlAjilT/t08WzUk\n cwr45/oHPLHLijDnBemL+/BqysXfTGWi5HXQgtmwTHxIPDBvnMYtMilyWajOAV6Ckd11Dy1tlb7\n JrwkabiVj1R/GH8xSUnoYLDO/SBGuIvJT6fC2XDES2YlhcdKcBHrv+AG7kFuTML2o45cE/iT57F\n ti09eNp7wLxZ7yapbymA3WCcoIGfeoY6t2gcZA3AC+t1IgXHz41oBWbtAwNumebyNa6YOv4PsDa\n WJWx1DzqFQnqCgMzZ4Fujx7NfSXSWy3oPRZ8qcrjYzdOG/6o6X", "X-Received": "by 2002:a05:600c:3b85:b0:483:6ff1:18b with SMTP id\n 5b1f17b1804b1-4836ff103a7mr4975605e9.0.1770913689197;\n Thu, 12 Feb 2026 08:28:09 -0800 (PST)", "From": "Antoine Damhet <adamhet@scaleway.com>", "To": "qemu-devel@nongnu.org", "Cc": "Antoine Damhet <adamhet@scaleway.com>, qemu-block@nongnu.org,\n Kevin Wolf <kwolf@redhat.com>, Hanna Reitz <hreitz@redhat.com>,\n Pierrick Bouvier <pierrick.bouvier@linaro.org>,\n Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>", "Subject": "[PATCH 2/2] block/curl: add support for S3 presigned URLs", "Date": "Thu, 12 Feb 2026 17:27:25 +0100", "Message-ID": "<20260212162730.440855-3-adamhet@scaleway.com>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260212162730.440855-1-adamhet@scaleway.com>", "References": "<20260212162730.440855-1-adamhet@scaleway.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Received-SPF": "pass client-ip=2a00:1450:4864:20::329;\n envelope-from=adamhet@scaleway.com; helo=mail-wm1-x329.google.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "S3 presigned URLs are signed for a specific HTTP method (typically GET\nfor our use cases). The curl block driver currently issues a HEAD\nrequest to discover the backend features and the file size, which fails\nwith 403.\n\nAdd a 'force-range' option that skips the HEAD request and instead\nissues a minimal GET request (querying 1 byte from the server) to\nextract the file size from the 'Content-Range' response header. To\nachieve this the 'curl_header_cb' is redesigned to generically parse\nHTTP headers.\n\n$ $QEMU -drive driver=http,\\\n 'url=https://s3.example.com/some.img?X-Amz-Security-Token=XXX',\n force-range=true\n\nEnabling the 'force-range' option without the backend supporting it is\nundefined behavior and untested but the libcurl should ignore the body\nand stop reading after the HTTP headers then we would fail with the\nexpected `Server does not support 'range' (byte ranges).` error.\n\nSigned-off-by: Antoine Damhet <adamhet@scaleway.com>\n---\n block/curl.c | 104 ++++++++++++++++++--------\n block/trace-events | 1 +\n docs/system/device-url-syntax.rst.inc | 6 ++\n qapi/block-core.json | 14 +++-\n 4 files changed, 90 insertions(+), 35 deletions(-)", "diff": "diff --git a/block/curl.c b/block/curl.c\nindex 6dccf002564e..66aecfb20ec6 100644\n--- a/block/curl.c\n+++ b/block/curl.c\n@@ -62,10 +62,12 @@\n #define CURL_BLOCK_OPT_PASSWORD_SECRET \"password-secret\"\n #define CURL_BLOCK_OPT_PROXY_USERNAME \"proxy-username\"\n #define CURL_BLOCK_OPT_PROXY_PASSWORD_SECRET \"proxy-password-secret\"\n+#define CURL_BLOCK_OPT_FORCE_RANGE \"force-range\"\n \n #define CURL_BLOCK_OPT_READAHEAD_DEFAULT (256 * 1024)\n #define CURL_BLOCK_OPT_SSLVERIFY_DEFAULT true\n #define CURL_BLOCK_OPT_TIMEOUT_DEFAULT 5\n+#define CURL_BLOCK_OPT_FORCE_RANGE_DEFAULT false\n \n struct BDRVCURLState;\n struct CURLState;\n@@ -206,27 +208,33 @@ static size_t curl_header_cb(void *ptr, size_t size, size_t nmemb, void *opaque)\n {\n BDRVCURLState *s = opaque;\n size_t realsize = size * nmemb;\n- const char *p = ptr;\n- const char *end = p + realsize;\n- const char *t = \"accept-ranges : bytes \"; /* A lowercase template */\n+ g_autofree char *header = g_strstrip(g_strndup(ptr, realsize));\n+ char *val = strchr(header, ':');\n \n- /* check if header matches the \"t\" template */\n- for (;;) {\n- if (*t == ' ') { /* space in t matches any amount of isspace in p */\n- if (p < end && g_ascii_isspace(*p)) {\n- ++p;\n- } else {\n- ++t;\n- }\n- } else if (*t && p < end && *t == g_ascii_tolower(*p)) {\n- ++p, ++t;\n- } else {\n- break;\n- }\n+ if (!val) {\n+ return realsize;\n }\n \n- if (!*t && p == end) { /* if we managed to reach ends of both strings */\n- s->accept_range = true;\n+ *val++ = '\\0';\n+ g_strchomp(header);\n+ while (g_ascii_isspace(*val)) {\n+ ++val;\n+ }\n+\n+ trace_curl_header_cb(header, val);\n+\n+ if (!g_ascii_strcasecmp(header, \"accept-ranges\")) {\n+ if (!g_ascii_strcasecmp(val, \"bytes\")) {\n+ s->accept_range = true;\n+ }\n+ } else if (!g_ascii_strcasecmp(header, \"Content-Range\")) {\n+ /* Content-Range fmt is `bytes begin-end/full_size` */\n+ val = strchr(val, '/');\n+ if (val) {\n+ if (qemu_strtou64(val + 1, NULL, 10, &s->len) < 0) {\n+ s->len = UINT64_MAX;\n+ }\n+ }\n }\n \n return realsize;\n@@ -668,6 +676,11 @@ static QemuOptsList runtime_opts = {\n .type = QEMU_OPT_STRING,\n .help = \"ID of secret used as password for HTTP proxy auth\",\n },\n+ {\n+ .name = CURL_BLOCK_OPT_FORCE_RANGE,\n+ .type = QEMU_OPT_BOOL,\n+ .help = \"Assume HTTP range requests are supported\",\n+ },\n { /* end of list */ }\n },\n };\n@@ -690,6 +703,7 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,\n #endif\n const char *secretid;\n const char *protocol_delimiter;\n+ bool force_range;\n int ret;\n \n bdrv_graph_rdlock_main_loop();\n@@ -807,35 +821,56 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,\n }\n \n s->accept_range = false;\n+ s->len = UINT64_MAX;\n+ force_range = qemu_opt_get_bool(opts, CURL_BLOCK_OPT_FORCE_RANGE,\n+ CURL_BLOCK_OPT_FORCE_RANGE_DEFAULT);\n+ /*\n+ * When minimal CURL will be bumped to `7.83`, the header callback + manual\n+ * parsing can be replaced by `curl_easy_header` calls\n+ */\n if (curl_easy_setopt(state->curl, CURLOPT_NOBODY, 1L) ||\n curl_easy_setopt(state->curl, CURLOPT_HEADERFUNCTION, curl_header_cb) ||\n curl_easy_setopt(state->curl, CURLOPT_HEADERDATA, s)) {\n- pstrcpy(state->errmsg, CURL_ERROR_SIZE,\n- \"curl library initialization failed.\");\n- goto out;\n+ goto out_init;\n+ }\n+ if (force_range) {\n+ if (curl_easy_setopt(state->curl, CURLOPT_CUSTOMREQUEST, \"GET\") ||\n+ curl_easy_setopt(state->curl, CURLOPT_RANGE, \"0-0\")) {\n+ goto out_init;\n+ }\n }\n+\n if (curl_easy_perform(state->curl))\n goto out;\n- /* CURL 7.55.0 deprecates CURLINFO_CONTENT_LENGTH_DOWNLOAD in favour of\n- * the *_T version which returns a more sensible type for content length.\n- */\n+\n+ if (!force_range) {\n+ /*\n+ * CURL 7.55.0 deprecates CURLINFO_CONTENT_LENGTH_DOWNLOAD in favour of\n+ * the *_T version which returns a more sensible type for content\n+ * length.\n+ */\n #if LIBCURL_VERSION_NUM >= 0x073700\n- if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T, &cl)) {\n- goto out;\n- }\n+ if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T,\n+ &cl)) {\n+ goto out;\n+ }\n #else\n- if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &cl)) {\n- goto out;\n- }\n+ if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD,\n+ &cl)) {\n+ goto out;\n+ }\n #endif\n- if (cl < 0) {\n+ if (cl >= 0) {\n+ s->len = cl;\n+ }\n+ }\n+\n+ if (s->len == UINT64_MAX) {\n pstrcpy(state->errmsg, CURL_ERROR_SIZE,\n \"Server didn't report file size.\");\n goto out;\n }\n \n- s->len = cl;\n-\n if ((!strncasecmp(s->url, \"http://\", strlen(\"http://\"))\n || !strncasecmp(s->url, \"https://\", strlen(\"https://\")))\n && !s->accept_range) {\n@@ -856,6 +891,9 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags,\n qemu_opts_del(opts);\n return 0;\n \n+out_init:\n+ pstrcpy(state->errmsg, CURL_ERROR_SIZE,\n+ \"curl library initialization failed.\");\n out:\n error_setg(errp, \"CURL: Error opening file: %s\", state->errmsg);\n curl_easy_cleanup(state->curl);\ndiff --git a/block/trace-events b/block/trace-events\nindex c9b4736ff884..d170fc96f15f 100644\n--- a/block/trace-events\n+++ b/block/trace-events\n@@ -191,6 +191,7 @@ ssh_server_status(int status) \"server status=%d\"\n curl_timer_cb(long timeout_ms) \"timer callback timeout_ms %ld\"\n curl_sock_cb(int action, int fd) \"sock action %d on fd %d\"\n curl_read_cb(size_t realsize) \"just reading %zu bytes\"\n+curl_header_cb(const char *key, const char *val) \"looking at %s: %s\"\n curl_open(const char *file) \"opening %s\"\n curl_open_size(uint64_t size) \"size = %\" PRIu64\n curl_setup_preadv(uint64_t bytes, uint64_t start, const char *range) \"reading %\" PRIu64 \" at %\" PRIu64 \" (%s)\"\ndiff --git a/docs/system/device-url-syntax.rst.inc b/docs/system/device-url-syntax.rst.inc\nindex aae65d138c00..e77032e9e4b6 100644\n--- a/docs/system/device-url-syntax.rst.inc\n+++ b/docs/system/device-url-syntax.rst.inc\n@@ -179,6 +179,12 @@ These are specified using a special URL syntax.\n get the size of the image to be downloaded. If not set, the\n default timeout of 5 seconds is used.\n \n+ ``force-range``\n+ Assume the HTTP backend supports range requests and avoid doing\n+ a HTTP HEAD request to discover the feature. Typically S3\n+ presigned URLs will only support one method and refuse other\n+ requests types.\n+\n Note that when passing options to qemu explicitly, ``driver`` is the\n value of <protocol>.\n \ndiff --git a/qapi/block-core.json b/qapi/block-core.json\nindex b82af7425614..ff018c2d6bfb 100644\n--- a/qapi/block-core.json\n+++ b/qapi/block-core.json\n@@ -4582,12 +4582,17 @@\n # @cookie-secret: ID of a QCryptoSecret object providing the cookie\n # data in a secure way. See @cookie for the format. (since 2.10)\n #\n+# @force-range: Don't issue a HEAD HTTP request to discover if the\n+# backend supports range requests and rely only on GET requests.\n+# This is especially useful for S3 presigned URLs. (since 11.0)\n+#\n # Since: 2.9\n ##\n { 'struct': 'BlockdevOptionsCurlHttp',\n 'base': 'BlockdevOptionsCurlBase',\n 'data': { '*cookie': 'str',\n- '*cookie-secret': 'str'} }\n+ '*cookie-secret': 'str',\n+ '*force-range': 'bool'} }\n \n ##\n # @BlockdevOptionsCurlHttps:\n@@ -4605,13 +4610,18 @@\n # @cookie-secret: ID of a QCryptoSecret object providing the cookie\n # data in a secure way. See @cookie for the format. (since 2.10)\n #\n+# @force-range: Don't issue a HEAD HTTP request to discover if the\n+# backend supports range requests and rely only on GET requests.\n+# This is especially useful for S3 presigned URLs. (since 11.0)\n+#\n # Since: 2.9\n ##\n { 'struct': 'BlockdevOptionsCurlHttps',\n 'base': 'BlockdevOptionsCurlBase',\n 'data': { '*cookie': 'str',\n '*sslverify': 'bool',\n- '*cookie-secret': 'str'} }\n+ '*cookie-secret': 'str',\n+ '*force-range': 'bool'} }\n \n ##\n # @BlockdevOptionsCurlFtp:\n", "prefixes": [ "2/2" ] }